diff --git a/.github/workflows/build-and-publish-images.yaml b/.github/workflows/build-and-publish-images.yaml index 6515e91ba..9de94a0a6 100644 --- a/.github/workflows/build-and-publish-images.yaml +++ b/.github/workflows/build-and-publish-images.yaml @@ -17,6 +17,10 @@ on: - "[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+" +env: + GO_VERSION: "1.22.5" + BUILDKIT_VERSION: "v0.15.1" + jobs: publish-generic-images: name: Publish @@ -34,6 +38,7 @@ jobs: - image: tunnel-manager - image: image-cache - image: assets-server + - image: lookup-service steps: - name: Check out the repository @@ -67,16 +72,12 @@ jobs: - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - # related issues for pinning buildkit - # https://github.com/docker/build-push-action/issues/761 - # https://github.com/containerd/containerd/issues/7972 - # https://github.com/containerd/containerd/pull/6995 with: driver-opts: | - image=moby/buildkit:v0.10.6 + image=moby/buildkit:${{env.BUILDKIT_VERSION}} - name: Restore Docker cache (amd64) - if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') }} + if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') || (matrix.image == 'lookup-service') }} uses: actions/cache/restore@v4 with: path: /tmp/.buildx-cache-amd64-new @@ -85,7 +86,7 @@ jobs: ${{runner.os}}-buildx-cache-amd64-${{matrix.image}}- - name: Restore Docker cache (arm64) - if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') }} + if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') || (matrix.image == 'lookup-service') }} uses: actions/cache/restore@v4 with: path: /tmp/.buildx-cache-arm64-new @@ -118,7 +119,7 @@ jobs: registry: ghcr.io - name: Build and push ${{matrix.image}} image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: ${{matrix.image}} platforms: ${{env.TARGET_PLATFORMS}} @@ -130,7 +131,7 @@ jobs: - name: Cache build ${{matrix.image}} (amd64) if: contains(env.TARGET_PLATFORMS, 'linux/amd64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: ${{matrix.image}} platforms: linux/amd64 @@ -140,7 +141,7 @@ jobs: - name: Cache build ${{matrix.image}} (arm64) if: contains(env.TARGET_PLATFORMS, 'linux/arm64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: ${{matrix.image}} platforms: linux/arm64 @@ -149,19 +150,19 @@ jobs: push: false - name: Dump cache directory sizes - if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') }} + if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') || (matrix.image == 'lookup-service') }} run: | du -ks /tmp/.buildx-cache-* || true - name: Save Docker cache (amd64) - if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') }} + if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') || (matrix.image == 'lookup-service') }} uses: actions/cache/save@v4 with: path: /tmp/.buildx-cache-amd64-new key: ${{runner.os}}-buildx-cache-amd64-${{matrix.image}}-${{github.sha}} - name: Save Docker cache (arm64) - if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') }} + if: ${{ (matrix.image == 'secrets-manager') || (matrix.image == 'session-manager') || (matrix.image == 'training-portal') || (matrix.image == 'tunnel-manager') || (matrix.image == 'lookup-service') }} uses: actions/cache/save@v4 with: path: /tmp/.buildx-cache-arm64-new @@ -203,13 +204,9 @@ jobs: - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - # related issues for pinning buildkit - # https://github.com/docker/build-push-action/issues/761 - # https://github.com/containerd/containerd/issues/7972 - # https://github.com/containerd/containerd/pull/6995 with: driver-opts: | - image=moby/buildkit:v0.10.6 + image=moby/buildkit:${{env.BUILDKIT_VERSION}} - name: Verify docker daemon image contents run: | @@ -265,7 +262,7 @@ jobs: registry: ghcr.io - name: Build and push base-environment image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/base-environment platforms: ${{env.TARGET_PLATFORMS}} @@ -277,7 +274,7 @@ jobs: - name: Cache build ${{matrix.image}} (amd64) if: contains(env.TARGET_PLATFORMS, 'linux/amd64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/base-environment platforms: linux/amd64 @@ -291,7 +288,7 @@ jobs: - name: Cache build ${{matrix.image}} (arm64) if: contains(env.TARGET_PLATFORMS, 'linux/arm64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/base-environment platforms: linux/arm64 @@ -364,13 +361,9 @@ jobs: - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - # related issues for pinning buildkit - # https://github.com/docker/build-push-action/issues/761 - # https://github.com/containerd/containerd/issues/7972 - # https://github.com/containerd/containerd/pull/6995 with: driver-opts: | - image=moby/buildkit:v0.10.6 + image=moby/buildkit:${{env.BUILDKIT_VERSION}} - name: Verify docker daemon image contents run: | @@ -427,7 +420,7 @@ jobs: registry: ghcr.io - name: Build and push ${{matrix.image}} image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/${{matrix.image}} platforms: ${{env.TARGET_PLATFORMS}} @@ -443,7 +436,7 @@ jobs: - name: Cache build ${{matrix.image}} (amd64) if: contains(env.TARGET_PLATFORMS, 'linux/amd64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/${{matrix.image}} platforms: linux/amd64 @@ -461,7 +454,7 @@ jobs: - name: Cache build ${{matrix.image}} (arm64) if: contains(env.TARGET_PLATFORMS, 'linux/arm64') - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: workshop-images/${{matrix.image}} platforms: linux/arm64 @@ -515,82 +508,96 @@ jobs: echo "REPOSITORY_TAG=${GITHUB_REF##*/}" >>${GITHUB_ENV} echo "REPOSITORY_SHA_TAG=sha-${GITHUB_SHA::7}" >>${GITHUB_ENV} - - name: Publish educates-cluster-essentials bundle + - name: Create publish values file shell: bash run: | - ytt -f carvel-packages/cluster-essentials/bundle/config | kbld -f - \ - --imgpkg-lock-output carvel-packages/cluster-essentials/bundle/.imgpkg/images.yml - imgpkg push \ - -b ghcr.io/${{env.REPOSITORY_OWNER}}/educates-cluster-essentials:${{env.REPOSITORY_TAG}} \ - -f carvel-packages/cluster-essentials/bundle \ - --registry-username=${{github.actor}} \ - --registry-password=${{secrets.GITHUB_TOKEN}} - ytt -f carvel-packages/cluster-essentials/bundle \ - --data-values-schema-inspect -o openapi-v3 > educates-cluster-essentials-schema-openapi.yaml - ytt -f carvel-packages/cluster-essentials/config/package.yaml \ - -f carvel-packages/cluster-essentials/config/schema.yaml \ - -v version=${{env.REPOSITORY_TAG}} \ - -v releasedAt=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \ - --data-value-file openapi=educates-cluster-essentials-schema-openapi.yaml \ - -v imageRegistry.host=ghcr.io \ - -v imageRegistry.namespace=${{env.REPOSITORY_OWNER}} > package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml - - - name: Save educates-cluster-essentials.yaml - uses: actions/upload-artifact@v4 - with: - name: educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml - path: package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml - - - name: Publish educates-training-platform bundle + cat < publish-values.yaml + clusterInfrastructure: + provider: "custom" + clusterPackages: + contour: + enabled: true + settings: + infraProvider: custom + cert-manager: + enabled: true + settings: {} + external-dns: + enabled: true + settings: + infraProvider: custom + deployment: + args: + - --provider=custom + - --source=custom + certs: + enabled: true + settings: + certProvider: local + domains: + - "example.com" + local: + caCertificate: + ca.crt: "AA" + ca.key: "BB" + kyverno: + enabled: true + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" + imageRegistry: + host: "ghcr.io" + namespace: ${{env.REPOSITORY_OWNER}} + version: ${{env.REPOSITORY_TAG}} + lookupService: + enabled: true + EOF + + - name: Publish educates-installer bundle shell: bash run: | - ytt -f carvel-packages/training-platform/config/images.yaml \ - -f carvel-packages/training-platform/config/schema.yaml \ - -v version=${{env.REPOSITORY_TAG}} \ - -v imageRegistry.host=ghcr.io \ - -v imageRegistry.namespace=${{env.REPOSITORY_OWNER}} \ - > carvel-packages/training-platform/bundle/kbld-images.yaml - cat carvel-packages/training-platform/bundle/kbld-images.yaml | kbld -f - \ - --imgpkg-lock-output carvel-packages/training-platform/bundle/.imgpkg/images.yml + # Create the kbld-images.yaml file with references to educates images + ytt -f carvel-packages/installer/config/images.yaml \ + -f carvel-packages/installer/config/schema.yaml \ + -v imageRegistry.host=ghcr.io \ + -v imageRegistry.namespace=${{env.REPOSITORY_OWNER}} \ + -v version=${{env.REPOSITORY_TAG}} > carvel-packages/installer/bundle/kbld/kbld-images.yaml + # Cat the generated file for debugging purposes + cat carvel-packages/installer/bundle/kbld/kbld-images.yaml + # Create images lock file. We use a sample values file to pass validations + # We properly rewrite references to images via kbld + ytt --data-values-file publish-values.yaml \ + -f carvel-packages/installer/bundle/config | kbld -f - \ + -f carvel-packages/installer/bundle/kbld/kbld-images.yaml \ + --imgpkg-lock-output carvel-packages/installer/bundle/.imgpkg/images.yml + # Push the bundle to the registry imgpkg push \ - -b ghcr.io/${{env.REPOSITORY_OWNER}}/educates-training-platform:${{env.REPOSITORY_TAG}} \ - -f carvel-packages/training-platform/bundle \ + -b ghcr.io/${{env.REPOSITORY_OWNER}}/educates-installer:${{env.REPOSITORY_TAG}} \ + -f carvel-packages/installer/bundle \ --registry-username=${{github.actor}} \ --registry-password=${{secrets.GITHUB_TOKEN}} - ytt -f carvel-packages/training-platform/bundle \ - --data-values-schema-inspect -o openapi-v3 > educates-training-platform-schema-openapi.yaml - ytt -f carvel-packages/training-platform/config/package.yaml \ - -f carvel-packages/training-platform/config/schema.yaml \ + ytt -f carvel-packages/installer/config/app.yaml \ + -f carvel-packages/installer/config/schema.yaml \ -v version=${{env.REPOSITORY_TAG}} \ - -v releasedAt=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \ - --data-value-file openapi=educates-training-platform-schema-openapi.yaml \ -v imageRegistry.host=ghcr.io \ - -v imageRegistry.namespace=${{env.REPOSITORY_OWNER}} > package-repository/packages/training-platform.educates.dev/educates-training-platform-${{env.REPOSITORY_TAG}}.yaml + -v imageRegistry.namespace=${{env.REPOSITORY_OWNER}} > educates-installer-app.yaml + # Copy and rename rbac.yaml file + cp carvel-packages/installer/config/rbac.yaml educates-installer-app-rbac.yaml - - name: Save educates-training-platform.yaml + - name: Save educates-installer-app.yaml uses: actions/upload-artifact@v4 with: - name: educates-training-platform-${{env.REPOSITORY_TAG}}.yaml - path: package-repository/packages/training-platform.educates.dev/educates-training-platform-${{env.REPOSITORY_TAG}}.yaml + name: educates-installer-app.yaml + path: educates-installer-app.yaml - - name: Publish educates-training-platform package repository - shell: bash - run: | - ytt -f package-repository/packages | kbld -f - --imgpkg-lock-output package-repository/.imgpkg/images.yml - imgpkg push --debug -b ghcr.io/${{env.REPOSITORY_OWNER}}/educates-packages:${{env.REPOSITORY_TAG}} -f package-repository --registry-username=${{github.actor}} --registry-password=${{secrets.GITHUB_TOKEN}} - ytt -f carvel-packages/repository.yaml -v packageRepository=ghcr.io/${{env.REPOSITORY_OWNER}} -v repositoryVersion=${{env.REPOSITORY_TAG}} > educates-packagerepository.yaml - - - name: Save educates-training-platform repository.yaml - uses: actions/upload-artifact@v4 - with: - name: educates-packagerepository.yaml - path: educates-packagerepository.yaml - - - name: Save educates-training-platform package repository + - name: Save educates-installer-app-rbac.yaml uses: actions/upload-artifact@v4 with: - name: package-repository - path: package-repository + name: educates-installer-app-rbac.yaml + path: educates-installer-app-rbac.yaml build-client-programs-linux-amd64: name: Build (clients) / amd64@linux @@ -609,7 +616,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: "1.21.4" + go-version: ${{env.GO_VERSION}} cache-dependency-path: | client-programs/go.sum @@ -646,7 +653,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: "1.21.4" + go-version: ${{env.GO_VERSION}} cache-dependency-path: | client-programs/go.sum @@ -683,7 +690,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: "1.21.4" + go-version: ${{env.GO_VERSION}} cache-dependency-path: | client-programs/go.sum @@ -725,7 +732,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: "1.21.4" + go-version: ${{env.GO_VERSION}} cache-dependency-path: | client-programs/go.sum @@ -821,13 +828,9 @@ jobs: - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - # related issues for pinning buildkit - # https://github.com/docker/build-push-action/issues/761 - # https://github.com/containerd/containerd/issues/7972 - # https://github.com/containerd/containerd/pull/6995 with: driver-opts: | - image=moby/buildkit:v0.10.6 + image=moby/buildkit:${{env.BUILDKIT_VERSION}} - name: Generate container image metadata id: meta @@ -853,7 +856,7 @@ jobs: echo "REPOSITORY_TAG=${GITHUB_REF##*/}" >>${GITHUB_ENV} - name: Build and push docker-extension image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: docker-extension platforms: ${{env.TARGET_PLATFORMS}} @@ -888,20 +891,15 @@ jobs: echo "REPOSITORY_TAG=${REPOSITORY_TAG}" >>${GITHUB_ENV} echo "PRERELEASE=${PRERELEASE}" >>${GITHUB_ENV} - - name: Restore packagerepository.yaml - uses: actions/download-artifact@v4 - with: - name: educates-packagerepository.yaml - - - name: Restore educates-cluster-essentials.yaml + - name: Restore educates-installer-app.yaml uses: actions/download-artifact@v4 with: - name: educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml + name: educates-installer-app.yaml - - name: Restore educates-training-platform.yaml + - name: Restore educates-installer-app-rbac.yaml uses: actions/download-artifact@v4 with: - name: educates-training-platform-${{env.REPOSITORY_TAG}}.yaml + name: educates-installer-app-rbac.yaml - name: Restore educates-linux-amd64 uses: actions/download-artifact@v4 @@ -926,13 +924,12 @@ jobs: - name: Generate file checksums for CLI binaries shell: bash run: | - sha256sum educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml >> checksums.txt sha256sum educates-darwin-amd64 >> checksums.txt sha256sum educates-darwin-arm64 >> checksums.txt sha256sum educates-linux-amd64 >> checksums.txt sha256sum educates-linux-arm64 >> checksums.txt - sha256sum educates-packagerepository.yaml >> checksums.txt - sha256sum educates-training-platform-${{env.REPOSITORY_TAG}}.yaml >> checksums.txt + sha256sum educates-installer-app.yaml >> checksums.txt + sha256sum educates-installer-app-rbac.yaml >> checksums.txt echo 'File Checksums' >> release-notes.md echo '--------------' >> release-notes.md echo '```' >> release-notes.md @@ -951,7 +948,7 @@ jobs: - name: Create release id: create_release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} with: @@ -962,67 +959,9 @@ jobs: body_path: release-notes.md files: | checksums.txt - educates-packagerepository.yaml - educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml - educates-training-platform-${{env.REPOSITORY_TAG}}.yaml + educates-installer-app.yaml + educates-installer-app-rbac.yaml educates-linux-amd64 educates-linux-arm64 educates-darwin-amd64 educates-darwin-arm64 - - commit-packages: - name: Commit - runs-on: ubuntu-latest - if: startsWith(github.ref, 'refs/tags/') - needs: - - release-artifacts - - steps: - - name: Check out the repository - uses: actions/checkout@v4 - - - name: Calculate variables - shell: bash - run: | - IS_FORK=$(if [[ $GITHUB_EVENT_NAME == 'push' && $GITHUB_EVENT_PATH ]]; then jq -r .repository.fork <<< $(cat $GITHUB_EVENT_PATH); else echo false; fi) - REPOSITORY_TAG=${GITHUB_REF##*/} - if [[ "$REPOSITORY_TAG" == *-* ]]; then - PRERELEASE=true - else - PRERELEASE=false - fi - echo "IS_FORK=${IS_FORK}" >>${GITHUB_ENV} - echo "PRERELEASE=${PRERELEASE}" >>${GITHUB_ENV} - echo "REPOSITORY_TAG=${REPOSITORY_TAG}" >>${GITHUB_ENV} - - - name: Restore educates-cluster-essentials.yaml - uses: actions/download-artifact@v4 - with: - name: educates-cluster-essentials-${{env.REPOSITORY_TAG}}.yaml - path: package-repository/packages/cluster-essentials.educates.dev/ - - - name: Restore educates-training-platform.yaml - uses: actions/download-artifact@v4 - with: - name: educates-training-platform-${{env.REPOSITORY_TAG}}.yaml - path: package-repository/packages/training-platform.educates.dev/ - - - name: Create pull request for package repository files - if: ${{ (env.IS_FORK == 'false') && (env.PRERELEASE == 'false') }} - uses: peter-evans/create-pull-request@v5 - with: - add-paths: | - package-repository - commit-message: "Add package files for version ${{env.REPOSITORY_TAG}}." - branch: release/patch - base: develop - title: "Add package files for version ${{env.REPOSITORY_TAG}}." - body: > - This is an automated pull request to add the package files for - version ${{env.REPOSITORY_TAG}} to the repository. If the release is - successful and you are working in the main Educates repository, this - needs to be merged to the `develop` branch before making a further - release. You should avoid merging this pull request if working in a - fork of the main Educates repository as it will result in changes to - the `develop` branch which have details specific to your fork, which - should never end up back in the main Educates repository. diff --git a/.gitignore b/.gitignore index 92bb75eac..edfb6b9b5 100644 --- a/.gitignore +++ b/.gitignore @@ -3,12 +3,13 @@ __pycache__ *.swp *.vsix .netlify -/carvel-packages/cluster-essentials/bundle/.imgpkg/images.yml -/carvel-packages/training-platform/bundle/.imgpkg/images.yml -/carvel-packages/training-platform/bundle/kbld-images.yaml +/carvel-packages/installer/test-*.yaml +/carvel-packages/installer/bundle/.imgpkg/images.yml +/carvel-packages/installer/bundle/kbld/kbld-images.yaml /client-programs/bin /client-programs/pkg/renderer/files /developer-testing +/lookup-service/venv /project-docs/venv /project-docs/_build /session-manager/venv @@ -24,3 +25,7 @@ __pycache__ /workshop-images/base-environment/opt/helper/out /workshop-images/base-environment/opt/renderer/build /workshop-images/base-environment/opt/renderer/node_modules +vendor + + +/test*.yaml diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 000000000..1baf5dbb3 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,35 @@ +# Read the Docs configuration file for Sphinx projects +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +# Required +version: 2 + +# Set the OS, Python version and other tools you might need +build: + os: ubuntu-22.04 + tools: + python: "3.12" + # You can also specify other tool versions: + # nodejs: "20" + # rust: "1.70" + # golang: "1.20" + +# Build documentation in the "docs/" directory with Sphinx +sphinx: + configuration: project-docs/conf.py + # You can configure Sphinx to use a different builder, for instance use the dirhtml builder for simpler URLs + # builder: "dirhtml" + # Fail on all warnings to avoid broken references + # fail_on_warning: true + +# Optionally build your docs in additional formats such as PDF and ePub +# formats: +# - pdf +# - epub + +# Optional but recommended, declare the Python requirements required +# to build your documentation +# See https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html +python: + install: + - requirements: project-docs/requirements.txt diff --git a/Makefile b/Makefile index 94c1eee16..166866828 100644 --- a/Makefile +++ b/Makefile @@ -17,21 +17,21 @@ endif TARGET_PLATFORM = $(TARGET_SYSTEM)-$(TARGET_MACHINE) DOCKER_PLATFORM = linux/$(TARGET_MACHINE) -all: push-all-images deploy-cluster-essentials deploy-training-platform deploy-workshop +all: push-all-images # deploy-installer deploy-workshop build-all-images: build-session-manager build-training-portal \ build-base-environment build-jdk8-environment build-jdk11-environment \ build-jdk17-environment build-jdk21-environment \ build-conda-environment build-docker-registry \ build-pause-container build-secrets-manager build-tunnel-manager \ - build-image-cache build-assets-server + build-image-cache build-assets-server build-lookup-service push-all-images: push-session-manager push-training-portal \ push-base-environment push-jdk8-environment push-jdk11-environment \ push-jdk17-environment push-jdk21-environment \ push-conda-environment push-docker-registry \ push-pause-container push-secrets-manager push-tunnel-manager \ - push-image-cache push-assets-server + push-image-cache push-assets-server push-lookup-service build-core-images: build-session-manager build-training-portal \ build-base-environment build-docker-registry build-pause-container \ @@ -133,91 +133,63 @@ build-assets-server: push-assets-server: build-assets-server docker push $(IMAGE_REPOSITORY)/educates-assets-server:$(PACKAGE_VERSION) -verify-cluster-essentials-config: -ifneq ("$(wildcard developer-testing/educates-cluster-essentials-values.yaml)","") - @ytt --file carvel-packages/cluster-essentials/bundle/config --data-values-file developer-testing/educates-cluster-essentials-values.yaml -else - @ytt --file carvel-packages/cluster-essentials/bundle/config -endif +build-lookup-service: + docker build --progress plain --platform $(DOCKER_PLATFORM) -t $(IMAGE_REPOSITORY)/educates-lookup-service:$(PACKAGE_VERSION) lookup-service -push-cluster-essentials-bundle: - ytt -f carvel-packages/cluster-essentials/bundle/config | kbld -f - --imgpkg-lock-output carvel-packages/cluster-essentials/bundle/.imgpkg/images.yml - imgpkg push -b $(IMAGE_REPOSITORY)/educates-cluster-essentials:$(RELEASE_VERSION) -f carvel-packages/cluster-essentials/bundle - mkdir -p developer-testing - ytt -f carvel-packages/cluster-essentials/bundle --data-values-schema-inspect -o openapi-v3 > developer-testing/educates-cluster-essentials-schema-openapi.yaml - ytt -f carvel-packages/cluster-essentials/config/package.yaml -f carvel-packages/cluster-essentials/config/schema.yaml -v imageRegistry.host=$(IMAGE_REPOSITORY) -v version=$(RELEASE_VERSION) -v releasedAt=`date -u +"%Y-%m-%dT%H:%M:%SZ"` --data-value-file openapi=developer-testing/educates-cluster-essentials-schema-openapi.yaml > developer-testing/educates-cluster-essentials.yaml +push-lookup-service: build-lookup-service + docker push $(IMAGE_REPOSITORY)/educates-lookup-service:$(PACKAGE_VERSION) -deploy-cluster-essentials: -ifneq ("$(wildcard developer-testing/educates-cluster-essentials-values.yaml)","") - ytt --file carvel-packages/cluster-essentials/bundle/config --data-values-file developer-testing/educates-cluster-essentials-values.yaml | kapp deploy -a educates-cluster-essentials -f - -y +verify-installer-config: +ifneq ("$(wildcard developer-testing/educates-installer-values.yaml)","") + @ytt --file carvel-packages/installer/bundle/config --data-values-file developer-testing/educates-installer-values.yaml else - ytt --file carvel-packages/cluster-essentials/bundle/config | kapp deploy -a educates-cluster-essentials -f - -y + @echo "No values file found. Please create developer-testing/educates-installer-values.yaml" + exit 1 endif -delete-cluster-essentials: - kapp delete -a educates-cluster-essentials -y +push-installer-bundle: + ytt -f carvel-packages/installer/config/images.yaml -f carvel-packages/installer/config/schema.yaml -v imageRegistry.host=$(IMAGE_REPOSITORY) -v version=$(PACKAGE_VERSION) > carvel-packages/installer/bundle/kbld/kbld-images.yaml + # For local development, we just need to lock educates images. Everything else can be referenced by tag from real origin. + cat carvel-packages/installer/bundle/kbld/kbld-images.yaml | kbld -f - --imgpkg-lock-output carvel-packages/installer/bundle/.imgpkg/images.yml + imgpkg push -b $(IMAGE_REPOSITORY)/educates-installer:$(RELEASE_VERSION) -f carvel-packages/installer/bundle + mkdir -p developer-testing + ytt -f carvel-packages/installer/config/app.yaml -f carvel-packages/installer/config/schema.yaml -v imageRegistry.host=$(IMAGE_REPOSITORY) -v version=$(RELEASE_VERSION) > developer-testing/educates-installer-app.yaml -deploy-cluster-essentials-bundle: push-cluster-essentials-bundle - kubectl get ns/educates-package || kubectl create ns educates-package - kubectl apply --namespace educates-package -f carvel-packages/cluster-essentials/config/metadata.yaml - kubectl apply --namespace educates-package -f developer-testing/educates-cluster-essentials.yaml -ifneq ("$(wildcard developer-testing/educates-cluster-essentials-values.yaml)","") - kctrl package install --namespace educates-package --package-install educates-cluster-essentials --package cluster-essentials.educates.dev --version $(RELEASE_VERSION) --values-file developer-testing/educates-cluster-essentials-values.yaml +deploy-platform: +ifneq ("$(wildcard developer-testing/educates-installer-values.yaml)","") + ytt --file carvel-packages/installer/bundle/config --data-values-file developer-testing/educates-installer-values.yaml | kapp deploy -a label:installer=educates-installer.app -f - -y else - kctrl package install --namespace educates-package --package-install educates-cluster-essentials --package cluster-essentials.educates.dev --version $(RELEASE_VERSION) + @echo "No values file found. Please create developer-testing/educates-installer-values.yaml" + exit 1 endif -delete-cluster-essentials-bundle: - kctrl package installed delete --namespace educates-package --package-install educates-cluster-essentials -y +delete-platform: + kapp delete -a label:installer=educates-installer.app -y -verify-training-platform-config: -ifneq ("$(wildcard developer-testing/educates-training-platform-values.yaml)","") - @ytt --file carvel-packages/training-platform/bundle/config --data-values-file developer-testing/educates-training-platform-values.yaml -else - @ytt --file carvel-packages/training-platform/bundle/config +deploy-platform-app: push-installer-bundle +ifeq ("$(wildcard developer-testing/educates-installer-values.yaml)","") + @echo "No values file found. Please create developer-testing/educates-installer-values.yaml" + exit 1 endif + -kubectl apply -f carvel-packages/installer/config/rbac.yaml + kubectl create secret generic educates-installer --from-file=developer-testing/educates-installer-values.yaml -o yaml --dry-run=client | kubectl apply -n educates-installer -f - + kubectl apply --namespace educates-installer -f developer-testing/educates-installer-app.yaml -push-training-platform-bundle: - ytt -f carvel-packages/training-platform/config/images.yaml -f carvel-packages/training-platform/config/schema.yaml -v imageRegistry.host=$(IMAGE_REPOSITORY) -v version=$(PACKAGE_VERSION) > carvel-packages/training-platform/bundle/kbld-images.yaml - cat carvel-packages/training-platform/bundle/kbld-images.yaml | kbld -f - --imgpkg-lock-output carvel-packages/training-platform/bundle/.imgpkg/images.yml - imgpkg push -b $(IMAGE_REPOSITORY)/educates-training-platform:$(RELEASE_VERSION) -f carvel-packages/training-platform/bundle - mkdir -p developer-testing - ytt -f carvel-packages/training-platform/bundle --data-values-schema-inspect -o openapi-v3 > developer-testing/educates-training-platform-schema-openapi.yaml - ytt -f carvel-packages/training-platform/config/package.yaml -f carvel-packages/training-platform/config/schema.yaml -v imageRegistry.host=$(IMAGE_REPOSITORY) -v version=$(RELEASE_VERSION) -v releasedAt=`date -u +"%Y-%m-%dT%H:%M:%SZ"` --data-value-file openapi=developer-testing/educates-training-platform-schema-openapi.yaml > developer-testing/educates-training-platform.yaml - -deploy-training-platform: -ifneq ("$(wildcard developer-testing/educates-training-platform-values.yaml)","") - ytt --file carvel-packages/training-platform/bundle/config --data-values-file developer-testing/educates-training-platform-values.yaml | kapp deploy -a educates-training-platform -f - -y -else - ytt --file carvel-packages/training-platform/bundle/config | kapp deploy -a educates-training-platform -f - -y -endif +delete-platform-app: + kubectl delete --namespace educates-installer -f developer-testing/educates-installer-app.yaml + -kubectl delete secret educates-installer -n educates-installer + -kubectl delete -f carvel-packages/installer/config/rbac.yaml restart-training-platform: kubectl rollout restart deployment/secrets-manager -n educates kubectl rollout restart deployment/session-manager -n educates -delete-training-platform: delete-workshop - kapp delete -a educates-training-platform -y - -deploy-training-platform-bundle: push-training-platform-bundle - kubectl get ns/educates-package || kubectl create ns educates-package - kubectl apply --namespace educates-package -f carvel-packages/training-platform/config/metadata.yaml - kubectl apply --namespace educates-package -f developer-testing/educates-training-platform.yaml -ifneq ("$(wildcard developer-testing/educates-training-platform-values.yaml)","") - kctrl package install --namespace educates-package --package-install educates-training-platform --package training-platform.educates.dev --version $(RELEASE_VERSION) --values-file developer-testing/educates-training-platform-values.yaml -else - kctrl package install --namespace educates-package --package-install educates-training-platform --package training-platform.educates.dev --version $(RELEASE_VERSION) -endif - -delete-training-platform-bundle: - kctrl package installed delete --namespace educates-package --package-install educates-training-platform -y - client-programs-educates: rm -rf client-programs/pkg/renderer/files mkdir client-programs/pkg/renderer/files mkdir -p client-programs/bin cp -rp workshop-images/base-environment/opt/eduk8s/etc/themes client-programs/pkg/renderer/files/ - (cd client-programs; go build -o bin/educates-$(TARGET_PLATFORM) cmd/educates/main.go) + (cd client-programs; go build -gcflags=all="-N -l" -o bin/educates-$(TARGET_PLATFORM) cmd/educates/main.go) build-client-programs: client-programs-educates @@ -261,8 +233,8 @@ clean-project-docs: rm -rf project-docs/_build deploy-workshop: - kubectl apply -f https://github.com/vmware-tanzu-labs/lab-k8s-fundamentals/releases/download/5.0/workshop.yaml - kubectl apply -f https://github.com/vmware-tanzu-labs/lab-k8s-fundamentals/releases/download/5.0/trainingportal.yaml + kubectl apply -f https://github.com/educates/lab-k8s-fundamentals/releases/download/7.4/workshop.yaml + kubectl apply -f https://github.com/educates/lab-k8s-fundamentals/releases/download/7.4/trainingportal.yaml STATUS=1; ATTEMPTS=0; ROLLOUT_STATUS_CMD="kubectl rollout status deployment/training-portal -n lab-k8s-fundamentals-ui"; until [ $$STATUS -eq 0 ] || $$ROLLOUT_STATUS_CMD || [ $$ATTEMPTS -eq 5 ]; do sleep 5; $$ROLLOUT_STATUS_CMD; STATUS=$$?; ATTEMPTS=$$((ATTEMPTS + 1)); done delete-workshop: diff --git a/carvel-packages/cluster-essentials/bundle/.imgpkg/bundle.yml b/carvel-packages/cluster-essentials/bundle/.imgpkg/bundle.yml deleted file mode 100644 index 9e0f77545..000000000 --- a/carvel-packages/cluster-essentials/bundle/.imgpkg/bundle.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: imgpkg.carvel.dev/v1alpha1 -kind: Bundle -metadata: - name: educates-cluster-essentials -authors: -- name: Graham Dumpleton - email: gdumpleton@vmware.com -websites: -- url: github.com/vmware-tanzu-labs/educates-cluster-essentials diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/certificates.lib.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/certificates.lib.yaml deleted file mode 100644 index 3640b2472..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/certificates.lib.yaml +++ /dev/null @@ -1,181 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:template", "template") -#@ load("@ytt:yaml", "yaml") - -#@ def get_issuer(): -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: "issuer" - namespace: "issuer-namespace" -spec: {} -#@ end - -#@ def self_signed_issuer(): -spec: - #@overlay/match missing_ok=True - selfSigned: {} -#@ end - -#@ def ca_issuer(): -spec: - #@overlay/match missing_ok=True - ca: - secretName: "ca-key-pair" -#@ end - -#@ def ca_secret(secret_name): -spec: - ca: - secretName: #@ secret_name -#@ end - -#@ def get_self_signed_issuer(): -#@ return overlay.apply(get_issuer(), self_signed_issuer()) -#@ end - -#@ def get_ca_issuer(): -#@ return overlay.apply(get_issuer(), ca_issuer()) -#@ end - -#@ def generate_self_signed_issuer(name, namespace): -#@ return overlay.apply(get_self_signed_issuer(), metadata(name, namespace)) -#@ end - -#@ def generate_ca_issuer(name, namespace, secret_name): -#@ return overlay.apply(get_ca_issuer(), metadata(name, namespace), ca_secret(secret_name)) -#@ end - -#@ def get_certificate(): -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "certificate" - namespace: "certificate-namespace" -spec: - secretName: "ca-key-pair" - duration: 8760h - renewBefore: 360h - subject: - organizations: [] - commonName: "certificate" - isCA: false - privateKey: - size: 2048 - algorithm: RSA - encoding: PKCS1 - usages: - - server auth - - client auth - dnsNames: [] - ipAddresses: [] - issuerRef: - name: "ca-issuer" - kind: Issuer - group: cert-manager.io - -#@ end - -#@ def ca_certificate(isCA): -spec: - isCA: #@ isCA -#@ end - -#@ def ip_address(ips): -spec: - #@overlay/replace - ipAddresses: - #@ for ip in ips: - - #@ ip - #@ end -#@ end - -#@ def server_certificate(): -spec: - #@overlay/replace - usages: - - server auth -#@ end - -#@ def client_certificate(): -spec: - #@overlay/replace - usages: - - client auth -#@ end - -#@ def get_certificate_with_params(args): -#@ return overlay.apply(get_certificate(), ca_certificate(args[0]), ip_address(args[1])) -#@ end - -#@ def get_ca_certificate(): -#@ return overlay.apply(get_certificate(), ca_certificate(True)) -#@ end - -#@ def get_server_certificate(): -#@ return overlay.apply(get_certificate(), server_certificate()) -#@ end - -#@ def get_client_certificate(): -#@ return overlay.apply(get_certificate(), client_certificate()) -#@ end - -#@ def metadata(name, namespace): -metadata: - name: #@ name - namespace: #@ namespace -#@ end - -#@ def certificate_secret(secret_name): -spec: - secretName: #@ secret_name -#@ end - -#@ def certificate_details(duration, renew_before, organizations, common_name, dns_names): -spec: - duration: #@ duration - renewBefore: #@ renew_before - subject: - #@overlay/replace - organizations: #@ organizations - commonName: #@ common_name - #@overlay/replace - dnsNames: #@ dns_names -#@ end - -#@ def certificate_issuer(issuer_name): -spec: - issuerRef: - name: #@ issuer_name -#@ end - -#@ def generate_dns_names(name, namespace): -#@ full_name = name + "." + namespace -#@ svc_name = full_name + ".svc" -#@ svc_cluster_local_name = svc_name + ".cluster.local" -#@ return [name, full_name, svc_name, svc_cluster_local_name] -#@ end - -#@ def certificate_generate_args(certificate_func, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name, args): -#@ return overlay.apply(certificate_func(args), metadata(name, namespace), certificate_secret(secret_name), certificate_details(duration, renew_before, organizations, common_name, dns_names), certificate_issuer(issuer_name)) -#@ end - -#@ def certificate_generate(certificate_func, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name): -#@ return overlay.apply(certificate_func(), metadata(name, namespace), certificate_secret(secret_name), certificate_details(duration, renew_before, organizations, common_name, dns_names), certificate_issuer(issuer_name)) -#@ end - -#@ def generate_certificate(name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name): -#@ return certificate_generate(get_certificate, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name) -#@ end - -#@ def generate_ca_certificate(name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name): -#@ return certificate_generate(get_ca_certificate, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name) -#@ end - -#@ def generate_server_certificate(name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name): -#@ return certificate_generate(get_server_certificate, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name) -#@ end - -#@ def generate_client_certificate(name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name): -#@ return certificate_generate(get_client_certificate, name, namespace, duration, renew_before, secret_name, organizations, common_name, dns_names, issuer_name) -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/contour.star b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/contour.star deleted file mode 100644 index ac238b16f..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/contour.star +++ /dev/null @@ -1,157 +0,0 @@ -load("@ytt:data", "data") -load("@ytt:assert", "assert") -load("@ytt:struct", "struct") - -# ########## -# DEFAULTING -# ########## - -def get_contour_deployment_args(): - args = [ - "serve", - "--incluster", - "--xds-address=::", - "--xds-port=8001", - "--stats-address=::", - "--http-address=::", - "--envoy-service-http-address=::", - "--envoy-service-https-address=::", - "--health-address=::", - "--contour-cafile=/certs/ca.crt", - "--contour-cert-file=/certs/tls.crt", - "--contour-key-file=/certs/tls.key", - "--config-path=/config/contour.yaml", - ] - if data.values.contour.useProxyProtocol: - args.append("--use-proxy-protocol") - end - - if data.values.contour.logLevel == "debug": - args.append("--debug") - end - - return args -end - -def get_envoy_service_type(): - if data.values.envoy.service.type: - return data.values.envoy.service.type - elif data.values.infrastructureProvider == "docker": - return "NodePort" - elif data.values.infrastructureProvider == "vsphere": - return "NodePort" - else: - return "LoadBalancer" - end -end - -def get_envoy_service_external_traffic_policy(): - if data.values.envoy.service.externalTrafficPolicy: - return data.values.envoy.service.externalTrafficPolicy - elif data.values.infrastructureProvider == "vsphere": - return "Cluster" - else: - return "Local" - end -end - -def get_envoy_service_annotations(): - annotations = {} - - if data.values.infrastructureProvider == "aws": - if data.values.envoy.service.aws.loadBalancerType == "nlb": - annotations["service.beta.kubernetes.io/aws-load-balancer-type"] = "nlb" - else: - annotations["service.beta.kubernetes.io/aws-load-balancer-backend-protocol"] = "tcp" - if data.values.contour.useProxyProtocol: - annotations["service.beta.kubernetes.io/aws-load-balancer-proxy-protocol"] = "*" - end - end - end - - if data.values.envoy.service.annotations: - annotations_kvs = struct.decode(data.values.envoy.service.annotations) - annotations.update(annotations_kvs) - end - - return annotations -end - -# ########## -# VALIDATION -# ########## - -def validate_contour(): - validate_funcs = [validate_infrastructure_provider, - validate_contour_namespace, - validate_contour_deployment, - validate_contour_certificate, - validate_envoy_deployment, - validate_envoy_workload, - validate_envoy_service] - for validate_func in validate_funcs: - validate_func() - end -end - -def validate_infrastructure_provider(): - if data.values.infrastructureProvider: - data.values.infrastructureProvider in ("docker", "aws", "vsphere", "azure") or assert.fail("infrastructureProvider must be either docker or aws or vsphere or azure") - end -end - -def validate_contour_namespace(): - data.values.namespace or assert.fail("namespace must be provided") -end - -def validate_contour_deployment(): - data.values.contour.replicas or assert.fail("contour.replicas must be provided") -end - -def validate_contour_certificate(): - if data.values.certificates.useCertManager: - data.values.certificates.duration or assert.fail("certificates.duration must be provided when certificates.useCertManager is true") - data.values.certificates.renewBefore or assert.fail("certificates.renewBefore must be provided when certificates.useCertManager is true") - end -end - -def validate_envoy_deployment(): - if data.values.envoy.hostPorts.enable: - data.values.envoy.hostPorts.http or assert.fail("envoy.hostPorts.http must be provided when envoy.hostPorts.enable is true") - data.values.envoy.hostPorts.https or assert.fail("envoy.hostPorts.https must be provided when envoy.hostPorts.enable is true") - end - - data.values.envoy.logLevel in ("trace", "debug", "info", "warning", "warn", "error", "critical", "off") or assert.fail("envoy.logLevel must be one of trace|debug|info|warning/warn|error|critical|off") - - data.values.envoy.terminationGracePeriodSeconds or assert.fail("envoy.terminationGracePeriodSeconds must be provided") -end - -def validate_envoy_workload(): - data.values.envoy.workload.type in ("Deployment", "DaemonSet") or assert.fail("envoy.workload.type must be one of Deployment|DaemonSet") - if data.values.envoy.workload.type == "Deployment": - data.values.envoy.workload.replicas > 0 or assert.fail("envoy.workload.replicas must be greater than 0 when envoy.workload.type is Deployment") - end - -end - -def validate_envoy_service(): - if data.values.envoy.service.type: - data.values.envoy.service.type in ("LoadBalancer", "NodePort", "ClusterIP") or assert.fail("envoy.service.type must be either LoadBalancer or NodePort or ClusterIP") - end - - if data.values.envoy.service.externalTrafficPolicy: - data.values.envoy.service.externalTrafficPolicy in ("Cluster", "Local") or assert.fail("envoy.service.externalTrafficPolicy must be either Cluster or Local") - end - - if data.values.infrastructureProvider == "aws": - data.values.envoy.service.aws.loadBalancerType in ("classic", "nlb") or assert.fail("envoy.service.aws.loadBalancerType must be either classic or nlb when infrastructureProvider is aws") - end - - if data.values.envoy.service.annotations: - annotations_kvs = struct.decode(data.values.envoy.service.annotations) - _, err = assert.try_to(lambda: annotations_kvs.items()) - not err or assert.fail("envoy.service.annotations must be a key/value map") - end -end - -validate_contour() diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/add-certmanager-certs.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/add-certmanager-certs.yaml deleted file mode 100644 index 2e4a2202a..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/add-certmanager-certs.yaml +++ /dev/null @@ -1,31 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:template", "template") -#@ load("@ytt:data", "data") -#@ load("/certificates.lib.yaml", "generate_dns_names", "generate_self_signed_issuer", "generate_ca_issuer", "generate_ca_certificate", "generate_server_certificate", "generate_client_certificate") - -#@ contour_name = "contour" -#@ contour_namespace = data.values.namespace -#@ contour_organization = "Project Contour" -#@ contour_self_signed_ca_issuer = contour_name + "-selfsigned-ca-issuer" -#@ contour_ca = contour_name + "-ca" -#@ contour_ca_common_name = "Contour CA" -#@ contour_ca_dns_name = contour_name + "ca" -#@ contour_ca_key_pair = contour_name + "-ca-key-pair" -#@ contour_ca_issuer = contour_name + "-ca-issuer" -#@ contour_cert = contour_name + "-cert" -#@ contour_cert_duration = data.values.certificates.duration -#@ contour_cert_renew_before = data.values.certificates.renewBefore -#@ contour_secret = contour_name + "cert" -#@ contour_cert_common_name = contour_name -#@ envoy_name = "envoy" -#@ envoy_cert = envoy_name + "-cert" -#@ envoy_secret = envoy_name + "cert" -#@ envoy_cert_common_name = envoy_name - -#@ if data.values.certificates.useCertManager: ---- #@ generate_self_signed_issuer(contour_self_signed_ca_issuer, contour_namespace) ---- #@ generate_ca_certificate(contour_ca, contour_namespace, contour_cert_duration, contour_cert_renew_before, contour_ca_key_pair, [contour_organization], contour_ca_common_name, [contour_ca_dns_name], contour_self_signed_ca_issuer) ---- #@ generate_ca_issuer(contour_ca_issuer, contour_namespace, contour_ca_key_pair) ---- #@ generate_server_certificate(contour_cert, contour_namespace, contour_cert_duration, contour_cert_renew_before, contour_secret, [contour_organization], contour_cert_common_name, generate_dns_names(contour_name, contour_namespace), contour_ca_issuer) ---- #@ generate_client_certificate(envoy_cert, contour_namespace, contour_cert_duration, contour_cert_renew_before, envoy_secret, [contour_organization], envoy_cert_common_name, generate_dns_names(envoy_name, contour_namespace), contour_ca_issuer) -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/change-namespace.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/change-namespace.yaml deleted file mode 100644 index fc9d19b01..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/change-namespace.yaml +++ /dev/null @@ -1,20 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:data", "data") - -#@overlay/match by=overlay.subset({"kind":"Namespace", "metadata": {"name": "projectcontour"}}), expects=1 ---- -metadata: - name: #@ data.values.namespace - -#! ignore cert-manager objects, since the code for generating them is already setting the namespace correctly. -#@overlay/match by=overlay.and_op(overlay.subset({"metadata": {"namespace": "projectcontour"}}), overlay.not_op(overlay.subset({"apiVersion": "cert-manager.io/v1"}))), expects=13 ---- -metadata: - namespace: #@ data.values.namespace - -#@overlay/match by=overlay.or_op(overlay.subset({"kind":"ClusterRoleBinding"}), overlay.subset({"kind":"RoleBinding"})), expects=3 ---- -subjects: -#@overlay/match by=overlay.subset({"namespace": "projectcontour"}) -- kind: ServiceAccount - namespace: #@ data.values.namespace diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/remove-certgen-job.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/remove-certgen-job.yaml deleted file mode 100644 index 47e729447..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/remove-certgen-job.yaml +++ /dev/null @@ -1,31 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:regexp", "regexp") -#@ load("@ytt:data", "data") - -#@ def regex_match(x, l, r): -#@ if not ("metadata" in l and "name" in l["metadata"]): -#@ return False -#@ end -#@ return regexp.match("contour-certgen*", l["metadata"]["name"]) -#@ end - -#@ if data.values.certificates.useCertManager: -#@overlay/match by=regex_match,expects="0+" -#@overlay.remove ---- - -#@overlay/match by=overlay.subset({"roleRef": {"name": "contour-certgen"}}) -#@overlay.remove ---- - -#@ else: - -#@overlay/match by=overlay.subset({"kind":"Job"}),expects=1 ---- -metadata: - #@overlay/match missing_ok=True - annotations: - #@overlay/match missing_ok=True - kapp.k14s.io/update-strategy: "fallback-on-replace" - -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-configmap.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-configmap.yaml deleted file mode 100644 index ebd704f63..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:data", "data") -#@ load("@ytt:yaml", "yaml") - - -#@overlay/match by=overlay.subset({"kind": "ConfigMap"}) ---- -data: - contour.yaml: #@ yaml.encode(data.values.contour.configFileContents) diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-deployment.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-deployment.yaml deleted file mode 100644 index f42439fe2..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-contour-deployment.yaml +++ /dev/null @@ -1,16 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:data", "data") -#@ load("/contour.star", "get_contour_deployment_args") - - -#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "contour"}}) ---- -spec: - replicas: #@ data.values.contour.replicas - template: - spec: - containers: - #@overlay/match by=overlay.subset({"name": "contour"}) - - - #@overlay/replace - args: #@ get_contour_deployment_args() diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-crds.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-crds.yaml deleted file mode 100644 index aa679289f..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -#@ load("@ytt:overlay", "overlay") - -#@overlay/match by=overlay.subset({"kind":"CustomResourceDefinition"}),expects=5 ---- -#@overlay/remove -status: diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-daemonset.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-daemonset.yaml deleted file mode 100644 index d4e8a2db1..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-daemonset.yaml +++ /dev/null @@ -1,65 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:data", "data") - - -#@overlay/match by=overlay.subset({"kind": "DaemonSet", "metadata": {"name": "envoy"}}) ---- -kind: #@ data.values.envoy.workload.type -spec: - #@ if data.values.envoy.workload.type == "Deployment": - #@overlay/match missing_ok=True - replicas: #@ data.values.envoy.workload.replicas - #@overlay/remove - updateStrategy: - #@overlay/match missing_ok=True - strategy: - type: RollingUpdate - rollingUpdate: - #! This value of maxSurge means that during a rolling update - #! the new ReplicaSet will be created first. - maxSurge: 10% - #@ end - template: - spec: - #@ if data.values.envoy.workload.type == "Deployment": - #@overlay/match missing_ok=True - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - envoy - topologyKey: "kubernetes.io/hostname" - #@ end - containers: - #@overlay/match by=overlay.subset({"name": "envoy"}) - - args: - #@overlay/match by=overlay.subset("--log-level info") - - #@ "--log-level " + data.values.envoy.logLevel - ports: - #@overlay/match by=overlay.subset({"name":"http"}) - - - #@ if data.values.envoy.hostPorts.enable: - hostPort: #@ data.values.envoy.hostPorts.http - #@ else: - #@overlay/remove - hostPort: 80 - #@ end - #@overlay/match by=overlay.subset({"name":"https"}) - - - #@ if data.values.envoy.hostPorts.enable: - hostPort: #@ data.values.envoy.hostPorts.https - #@ else: - #@overlay/remove - hostPort: 443 - #@ end - #@ if data.values.envoy.hostNetwork: - #@overlay/match missing_ok=True - hostNetwork: true - #@overlay/match missing_ok=True - dnsPolicy: ClusterFirstWithHostNet - #@ end - terminationGracePeriodSeconds: #@ int(data.values.envoy.terminationGracePeriodSeconds) diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-service.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-service.yaml deleted file mode 100644 index c0b907338..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/overlays/update-envoy-service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -#@ load("@ytt:overlay", "overlay") -#@ load("@ytt:data", "data") -#@ load("/contour.star", "get_envoy_service_type", "get_envoy_service_annotations", "get_envoy_service_external_traffic_policy") - -#@overlay/match by=overlay.subset({"kind": "Service", "metadata": {"name": "envoy"}}) ---- -metadata: - #@overlay/replace - annotations: #@ get_envoy_service_annotations() -spec: - type: #@ get_envoy_service_type() - - #@ if get_envoy_service_type() == "NodePort" or get_envoy_service_type() == "LoadBalancer": - ports: - #@overlay/match by=overlay.subset({"name":"http"}) - - - #@ if data.values.envoy.service.nodePorts.http: - #@overlay/match missing_ok=True - nodePort: #@ data.values.envoy.service.nodePorts.http - #@ end - #@overlay/match by=overlay.subset({"name":"https"}) - - - #@ if data.values.envoy.service.nodePorts.https: - #@overlay/match missing_ok=True - nodePort: #@ data.values.envoy.service.nodePorts.https - #@ end - #@ end - - #@ if data.values.envoy.service.loadBalancerIP and get_envoy_service_type() == "LoadBalancer": - #@overlay/match missing_ok=True - loadBalancerIP: #@ data.values.envoy.service.loadBalancerIP - #@ end - - #@ if get_envoy_service_type() == "NodePort" or get_envoy_service_type() == "LoadBalancer": - externalTrafficPolicy: #@ get_envoy_service_external_traffic_policy() - #@ else: - #@overlay/remove - externalTrafficPolicy: Local - #@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/schema.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/schema.yaml deleted file mode 100644 index 45065a1d1..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/schema.yaml +++ /dev/null @@ -1,92 +0,0 @@ -#@data/values-schema -#@schema/desc "OpenAPIv3 Schema for Contour 1.22.3" - ---- -#@schema/desc "The underlying infrastructure provider. Options are aws, azure, docker and vsphere. This field is not required, but enables better validation and defaulting if provided." -infrastructureProvider: "" - -#@schema/desc "The namespace in which to deploy Contour and Envoy." -namespace: projectcontour - -#@schema/desc "Settings for the Contour component." -contour: - #@schema/desc "The YAML contents of the Contour config file. See https://projectcontour.io/docs/v1.22.3/configuration/#configuration-file for more information." - #@schema/type any=True - configFileContents: null - - #@schema/desc "How many Contour pod replicas to have." - replicas: 2 - - #@schema/desc "Whether to enable PROXY protocol for all Envoy listeners." - useProxyProtocol: false - - #@schema/desc "The Contour log level. Valid options are 'info' and 'debug'." - logLevel: info - -#@schema/desc "Settings for the Envoy component." -envoy: - #@schema/desc "Envoy workload settings." - workload: - #@schema/desc "The type of Kubernetes workload Envoy is deployed as. Options are 'Deployment' or 'DaemonSet'. If not specified, will default to 'DaemonSet'." - type: DaemonSet - #@schema/desc "The number of Envoy replicas to deploy when 'type' is set to 'Deployment'. If not specified, it will default to '2'." - replicas: 2 - - #@schema/desc "Envoy service settings." - service: - #@schema/desc "The type of Kubernetes service to provision for Envoy. If not specified, will default to 'NodePort' for docker and vsphere and 'LoadBalancer' for others." - type: "" - - #@schema/desc "The desired load balancer IP. If type is not 'LoadBalancer', this field is ignored. It is up to the cloud provider whether to honor this request. If not specified, then load balancer IP will be assigned by the cloud provider." - loadBalancerIP: "" - - #@schema/desc "The external traffic policy for the Envoy service. If type is 'ClusterIP', this field is ignored. Otherwise, defaults to 'Cluster' for vsphere and 'Local' for others." - externalTrafficPolicy: "" - - #@schema/desc "Annotations to set on the Envoy service." - #@schema/type any=True - annotations: null - - #@schema/desc "NodePort settings for the Envoy service. If type is not 'NodePort' or 'LoadBalancer', these settings are ignored." - nodePorts: - #@schema/desc "The node port number to expose Envoy's HTTP listener on. If not specified, a node port will be auto-assigned by Kubernetes." - http: 0 - - #@schema/desc "The node port number to expose Envoy's HTTPS listener on. If not specified, a node port will be auto-assigned by Kubernetes." - https: 0 - - #@schema/desc "AWS-specific settings for the Envoy service. If infrastructure provider is not 'aws', these settings are ignored." - aws: - #@schema/desc "The type of AWS load balancer to provision. Options are 'classic' and 'nlb'." - loadBalancerType: classic - - #@schema/desc "Host port settings for the Envoy pods." - hostPorts: - #@schema/desc "Whether to enable host ports. If false, http & https are ignored." - enable: false - - #@schema/desc "If enable == true, the host port number to expose Envoy's HTTP listener on." - http: 80 - - #@schema/desc "If enable == true, the host port number to expose Envoy's HTTPS listener on." - https: 443 - - #@schema/desc "Whether to enable host networking for the Envoy pods." - hostNetwork: false - - #@schema/desc "The termination grace period, in seconds, for the Envoy pods." - terminationGracePeriodSeconds: 300 - - #@schema/desc "The Envoy log level." - logLevel: info - -#@schema/desc "Settings for the TLS certificates for securing communication between Contour and Envoy." -certificates: - #@schema/desc "Whether to use cert-manager to provision TLS certificates for securing communication between Contour and Envoy. If false, the upstream Contour certgen job will be used to provision certificates. If true, the cert-manager addon must be installed in the cluster." - useCertManager: false - - #@schema/desc "If using cert-manager, how long the certificates should be valid for. If useCertManager is false, this field is ignored." - duration: 8760h - - #@schema/desc "If using cert-manager, how long before expiration the certificates should be renewed. If useCertManager is false, this field is ignored." - renewBefore: 360h diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/upstream/contour.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/upstream/contour.yaml deleted file mode 100644 index 6c5f2e0aa..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream/upstream/contour.yaml +++ /dev/null @@ -1,5245 +0,0 @@ -# This file is generated from the individual YAML files by generate-deployment.sh. Do not -# edit this file directly but instead edit the source files and re-render. -# -# Generated from: -# examples/contour/00-common.yaml -# examples/contour/01-contour-config.yaml -# examples/contour/01-crds.yaml -# examples/contour/02-job-certgen.yaml -# examples/contour/02-rbac.yaml -# examples/contour/02-role-contour.yaml -# examples/contour/02-service-contour.yaml -# examples/contour/02-service-envoy.yaml -# examples/contour/03-contour.yaml -# examples/contour/03-envoy.yaml - ---- -apiVersion: v1 -kind: Namespace -metadata: - name: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: contour - namespace: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: envoy - namespace: projectcontour - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: contour - namespace: projectcontour -data: - contour.yaml: | - # - # server: - # determine which XDS Server implementation to utilize in Contour. - # xds-server-type: contour - # - # Specify the Gateway API configuration. - # gateway: - # controllerName: projectcontour.io/projectcontour/contour - # - # should contour expect to be running inside a k8s cluster - # incluster: true - # - # path to kubeconfig (if not running inside a k8s cluster) - # kubeconfig: /path/to/.kube/config - # - # Disable RFC-compliant behavior to strip "Content-Length" header if - # "Tranfer-Encoding: chunked" is also set. - # disableAllowChunkedLength: false - # - # Disable Envoy's non-standard merge_slashes path transformation option - # that strips duplicate slashes from request URLs. - # disableMergeSlashes: false - # - # Disable HTTPProxy permitInsecure field - disablePermitInsecure: false - tls: - # minimum TLS version that Contour will negotiate - # minimum-protocol-version: "1.2" - # TLS ciphers to be supported by Envoy TLS listeners when negotiating - # TLS 1.2. - # cipher-suites: - # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' - # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' - # - 'ECDHE-ECDSA-AES256-GCM-SHA384' - # - 'ECDHE-RSA-AES256-GCM-SHA384' - # Defines the Kubernetes name/namespace matching a secret to use - # as the fallback certificate when requests which don't match the - # SNI defined for a vhost. - fallback-certificate: - # name: fallback-secret-name - # namespace: projectcontour - envoy-client-certificate: - # name: envoy-client-cert-secret-name - # namespace: projectcontour - #### - # ExternalName Services are disabled by default due to CVE-2021-XXXXX - # You can re-enable them by setting this setting to `true`. - # This is not recommended without understanding the security implications. - # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. - # enableExternalNameService: false - ## - # Address to be placed in status.loadbalancer field of Ingress objects. - # May be either a literal IP address or a host name. - # The value will be placed directly into the relevant field inside the status.loadBalancer struct. - # ingress-status-address: local.projectcontour.io - ### Logging options - # Default setting - accesslog-format: envoy - # The default access log format is defined by Envoy but it can be customized by setting following variable. - # accesslog-format-string: "...\n" - # To enable JSON logging in Envoy - # accesslog-format: json - # accesslog-level: info - # The default fields that will be logged are specified below. - # To customise this list, just add or remove entries. - # The canonical list is available at - # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields - # json-fields: - # - "@timestamp" - # - "authority" - # - "bytes_received" - # - "bytes_sent" - # - "downstream_local_address" - # - "downstream_remote_address" - # - "duration" - # - "method" - # - "path" - # - "protocol" - # - "request_id" - # - "requested_server_name" - # - "response_code" - # - "response_flags" - # - "uber_trace_id" - # - "upstream_cluster" - # - "upstream_host" - # - "upstream_local_address" - # - "upstream_service_time" - # - "user_agent" - # - "x_forwarded_for" - # - "grpc_status" - # - # default-http-versions: - # - "HTTP/2" - # - "HTTP/1.1" - # - # The following shows the default proxy timeout settings. - # timeouts: - # request-timeout: infinity - # connection-idle-timeout: 60s - # stream-idle-timeout: 5m - # max-connection-duration: infinity - # delayed-close-timeout: 1s - # connection-shutdown-grace-period: 5s - # connect-timeout: 2s - # - # Envoy cluster settings. - # cluster: - # configure the cluster dns lookup family - # valid options are: auto (default), v4, v6 - # dns-lookup-family: auto - # - # Envoy network settings. - # network: - # Configure the number of additional ingress proxy hops from the - # right side of the x-forwarded-for HTTP header to trust. - # num-trusted-hops: 0 - # Configure the port used to access the Envoy Admin interface. - # admin-port: 9001 - # - # Configure an optional global rate limit service. - # rateLimitService: - # Identifies the extension service defining the rate limit service, - # formatted as /. - # extensionService: projectcontour/ratelimit - # Defines the rate limit domain to pass to the rate limit service. - # Acts as a container for a set of rate limit definitions within - # the RLS. - # domain: contour - # Defines whether to allow requests to proceed when the rate limit - # service fails to respond with a valid rate limit decision within - # the timeout defined on the extension service. - # failOpen: false - # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, - # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF - # Internet-Draft linked below), on responses to clients when the Rate - # Limit Service is consulted for a request. - # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html - # enableXRateLimitHeaders: false - # - # Global Policy settings. - # policy: - # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) - # request-headers: - # set: - # # example: the hostname of the Envoy instance that proxied the request - # X-Envoy-Hostname: %HOSTNAME% - # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for - # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% - # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) - # response-headers: - # set: - # # example: Envoy flags that provide additional details about the response or connection - # X-Envoy-Response-Flags: %RESPONSE_FLAGS% - # - # metrics: - # contour: - # address: 0.0.0.0 - # port: 8000 - # server-certificate-path: /path/to/server-cert.pem - # server-key-path: /path/to/server-private-key.pem - # ca-certificate-path: /path/to/root-ca-for-client-validation.pem - # envoy: - # address: 0.0.0.0 - # port: 8002 - # server-certificate-path: /path/to/server-cert.pem - # server-key-path: /path/to/server-private-key.pem - # ca-certificate-path: /path/to/root-ca-for-client-validation.pem - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: contourconfigurations.projectcontour.io -spec: - preserveUnknownFields: false - group: projectcontour.io - names: - kind: ContourConfiguration - listKind: ContourConfigurationList - plural: contourconfigurations - shortNames: - - contourconfig - singular: contourconfiguration - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContourConfiguration is the schema for a Contour instance. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. - properties: - debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. - properties: - address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." - type: string - port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." - type: integer - type: object - enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." - type: boolean - envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. - properties: - clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream - cluster. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. - properties: - dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. Note: This only applies to externalName - clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`. \n Other values will produce an error." - type: string - type: object - defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." - items: - description: HTTPVersionType is the name of a supported HTTP - version. - type: string - type: array - health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." - properties: - accessLog: - description: AccessLog defines where Envoy logs are outputted - for this listener. - type: string - address: - description: Defines an Envoy Listener Address. - minLength: 1 - type: string - port: - description: Defines an Envoy listener Port. - type: integer - type: object - https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." - properties: - accessLog: - description: AccessLog defines where Envoy logs are outputted - for this listener. - type: string - address: - description: Defines an Envoy Listener Address. - minLength: 1 - type: string - port: - description: Defines an Envoy listener Port. - type: integer - type: object - listener: - description: Listener hold various configurable Envoy listener - values. - properties: - connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." - type: string - disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. - See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." - type: boolean - disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." - type: boolean - tls: - description: TLS holds various configurable Envoy TLS listener - values. - properties: - cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list - will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \ - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - \ - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - \ - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." - items: - type: string - type: array - minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." - type: string - type: object - useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." - type: boolean - type: object - logging: - description: Logging defines how Envoy's logs can be configured. - properties: - accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." - type: string - accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. - type: string - accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. - items: - type: string - type: array - accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, meaning all requests - are logged), `error` and `disabled`. \n Other values will - produce an error." - type: string - type: object - metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - network: - description: Network holds various configurable Envoy network - values. - properties: - adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." - type: integer - numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." - format: int32 - type: integer - type: object - service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. - properties: - connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." - type: string - connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n - See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." - type: string - connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." - type: string - delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." - type: string - maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." - type: string - requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." - type: string - streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." - type: string - type: object - type: object - gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. - properties: - controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. - type: string - gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." - type: boolean - fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces for - root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. - properties: - domain: - description: Domain is passed to the Rate Limit Service. - type: string - enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" - type: boolean - extensionService: - description: ExtensionService identifies the extension service - defining the RLS. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. - type: boolean - required: - - extensionService - type: object - xdsServer: - description: XDSServer contains parameters for the xDS server. - properties: - address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." - minLength: 1 - type: string - port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." - type: integer - tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - insecure: - description: Allow serving the xDS gRPC API without TLS. - type: boolean - keyFile: - description: Client key filename. - type: string - type: object - type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." - type: string - type: object - type: object - status: - description: ContourConfigurationStatus defines the observed state of - a ContourConfiguration resource. - properties: - conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." - items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." - properties: - errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: contourdeployments.projectcontour.io -spec: - preserveUnknownFields: false - group: projectcontour.io - names: - kind: ContourDeployment - listKind: ContourDeploymentList - plural: contourdeployments - shortNames: - - contourdeploy - singular: contourdeployment - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContourDeployment is the schema for a Contour Deployment. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ContourDeploymentSpec specifies options for how a Contour - instance should be provisioned. - properties: - contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. - properties: - nodePlacement: - description: NodePlacement describes node scheduling configuration - of Contour pods. - properties: - nodeSelector: - additionalProperties: - type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." - type: object - tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - replicas: - description: Replicas is the desired number of Contour replicas. - If unset, defaults to 2. - format: int32 - minimum: 0 - type: integer - type: object - envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. - properties: - networkPublishing: - description: NetworkPublishing defines how to expose Envoy to - a network. - properties: - serviceAnnotations: - additionalProperties: - type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. - type: object - type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes - NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes - ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." - type: string - type: object - nodePlacement: - description: NodePlacement describes node scheduling configuration - of Envoy pods. - properties: - nodeSelector: - additionalProperties: - type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." - type: object - tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - replicas: - description: Replicas is the desired number of Envoy replicas. - If WorkloadType is not "Deployment", this field is ignored. - Otherwise, if unset, defaults to 2. - format: int32 - minimum: 0 - type: integer - workloadType: - description: WorkloadType is the type of workload to install Envoy - as. Choices are DaemonSet and Deployment. If unset, defaults - to DaemonSet. - type: string - type: object - runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. - properties: - debug: - description: Debug contains parameters to enable debug logging - and debug interfaces inside Contour. - properties: - address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." - type: string - port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." - type: integer - type: object - enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." - type: boolean - envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. - properties: - clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. - properties: - dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. Note: - This only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`. \n Other values will produce an error." - type: string - type: object - defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." - items: - description: HTTPVersionType is the name of a supported - HTTP version. - type: string - type: array - health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." - properties: - accessLog: - description: AccessLog defines where Envoy logs are outputted - for this listener. - type: string - address: - description: Defines an Envoy Listener Address. - minLength: 1 - type: string - port: - description: Defines an Envoy listener Port. - type: integer - type: object - https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." - properties: - accessLog: - description: AccessLog defines where Envoy logs are outputted - for this listener. - type: string - address: - description: Defines an Envoy Listener Address. - minLength: 1 - type: string - port: - description: Defines an Envoy listener Port. - type: integer - type: object - listener: - description: Listener hold various configurable Envoy listener - values. - properties: - connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer - See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." - type: string - disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." - type: boolean - disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." - type: boolean - tls: - description: TLS holds various configurable Envoy TLS - listener values. - properties: - cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - \ - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \ - \"ECDHE-ECDSA-AES256-SHA\" - \"ECDHE-RSA-AES256-SHA\" - \ - \"AES256-GCM-SHA384\" - \"AES256-SHA\" \n - Contour recommends leaving this undefined unless - you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." - items: - type: string - type: array - minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." - type: string - type: object - useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." - type: boolean - type: object - logging: - description: Logging defines how Envoy's logs can be configured. - properties: - accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." - type: string - accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. - type: string - accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. - items: - type: string - type: array - accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, meaning - all requests are logged), `error` and `disabled`. \n - Other values will produce an error." - type: string - type: object - metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - network: - description: Network holds various configurable Envoy network - values. - properties: - adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." - type: integer - numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." - format: int32 - type: integer - type: object - service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. - properties: - connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." - type: string - connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." - type: string - connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." - type: string - delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." - type: string - maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." - type: string - requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n - See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." - type: string - streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." - type: string - type: object - type: object - gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. - properties: - controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. - type: string - gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. - Exactly one of ControllerName or GatewayRef must be set. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: object - health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." - type: boolean - fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. - properties: - domain: - description: Domain is passed to the Rate Limit Service. - type: string - enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" - type: boolean - extensionService: - description: ExtensionService identifies the extension service - defining the RLS. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. - type: boolean - required: - - extensionService - type: object - xdsServer: - description: XDSServer contains parameters for the xDS server. - properties: - address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." - minLength: 1 - type: string - port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." - type: integer - tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - insecure: - description: Allow serving the xDS gRPC API without TLS. - type: boolean - keyFile: - description: Client key filename. - type: string - type: object - type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." - type: string - type: object - type: object - type: object - status: - description: ContourDeploymentStatus defines the observed state of a ContourDeployment - resource. - properties: - conditions: - description: Conditions describe the current conditions of the ContourDeployment - resource. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: extensionservices.projectcontour.io -spec: - preserveUnknownFields: false - group: projectcontour.io - names: - kind: ExtensionService - listKind: ExtensionServiceList - plural: extensionservices - shortNames: - - extensionservice - - extensionservices - singular: extensionservice - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ExtensionServiceSpec defines the desired state of an ExtensionService - resource. - properties: - loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. - properties: - requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back the the - default `RoundRobin`. - items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. - properties: - hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. - type: boolean - headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. - properties: - headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. - minLength: 1 - type: string - type: object - queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. - properties: - parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. - minLength: 1 - type: string - type: object - terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. - type: boolean - type: object - type: array - strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. - type: string - type: object - protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. - enum: - - h2 - - h2c - type: string - protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. - enum: - - v3 - type: string - services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. - items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. - properties: - name: - description: Name is the name of Kubernetes service that will - accept service traffic. - type: string - port: - description: Port (defined as Integer) to proxy traffic to since - a service can have multiple defined. - exclusiveMaximum: true - maximum: 65536 - minimum: 1 - type: integer - weight: - description: Weight defines proportion of traffic to balance - to the Kubernetes Service. - format: int32 - type: integer - required: - - name - - port - type: object - minItems: 1 - type: array - timeoutPolicy: - description: The timeout policy for requests to the services. - properties: - idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. - If not supplied, Envoy's default value of 1h applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - validation: - description: UpstreamValidation defines how to verify the backend - service's certificate - properties: - caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. - type: string - subjectName: - description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. - type: string - required: - - caSecret - - subjectName - type: object - required: - - services - type: object - status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. - properties: - conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." - items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." - properties: - errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: httpproxies.projectcontour.io -spec: - preserveUnknownFields: false - group: projectcontour.io - names: - kind: HTTPProxy - listKind: HTTPProxyList - plural: httpproxies - shortNames: - - proxy - - proxies - singular: httpproxy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Fully qualified domain name - jsonPath: .spec.virtualhost.fqdn - name: FQDN - type: string - - description: Secret with TLS credentials - jsonPath: .spec.virtualhost.tls.secretName - name: TLS Secret - type: string - - description: The current status of the HTTPProxy - jsonPath: .status.currentStatus - name: Status - type: string - - description: Description of the current status - jsonPath: .status.description - name: Status Description - type: string - name: v1 - schema: - openAPIV3Schema: - description: HTTPProxy is an Ingress CRD specification. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HTTPProxySpec defines the spec of the CRD. - properties: - includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. - items: - description: Include describes a set of policies that can be applied - to an HTTPProxy in a namespace. - properties: - conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid.' - items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix or Header must be provided. - properties: - header: - description: Header specifies the header condition to - match. - properties: - contains: - description: Contains specifies a substring that must - be present in the header value. - type: string - exact: - description: Exact specifies a string that the header - value must be equal to. - type: string - name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. - type: string - notcontains: - description: NotContains specifies a substring that - must not be present in the header value. - type: string - notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. - type: string - notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. - type: boolean - present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header - is absent. - type: boolean - required: - - name - type: object - prefix: - description: Prefix defines a prefix match for a request. - type: string - type: object - type: array - name: - description: Name of the HTTPProxy - type: string - namespace: - description: Namespace of the HTTPProxy to include. Defaults - to the current namespace if not supplied. - type: string - required: - - name - type: object - type: array - ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. - type: string - routes: - description: Routes are the ingress routes. If TCPProxy is present, - Routes is ignored. - items: - description: Route contains the set of routes for a virtual host. - properties: - authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that - match this route. - properties: - context: - additionalProperties: - type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. - type: object - disabled: - description: When true, this field disables client request - authentication for the scope of the policy. - type: boolean - type: object - conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix MatchCondition - per Conditions slice. More than one Prefix, or contradictory - Conditions, will make the route invalid.' - items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix or Header must be provided. - properties: - header: - description: Header specifies the header condition to - match. - properties: - contains: - description: Contains specifies a substring that must - be present in the header value. - type: string - exact: - description: Exact specifies a string that the header - value must be equal to. - type: string - name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. - type: string - notcontains: - description: NotContains specifies a substring that - must not be present in the header value. - type: string - notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. - type: string - notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. - type: boolean - present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header - is absent. - type: boolean - required: - - name - type: object - prefix: - description: Prefix defines a prefix match for a request. - type: string - type: object - type: array - cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. - items: - properties: - domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. - properties: - value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - value - type: object - name: - description: Name is the name of the cookie for which - attributes will be rewritten. - maxLength: 4096 - minLength: 1 - pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. - properties: - value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - required: - - value - type: object - sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. - enum: - - Strict - - Lax - - None - type: string - secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. - type: boolean - required: - - name - type: object - type: array - directResponsePolicy: - description: DirectResponsePolicy returns an arbitrary HTTP - response directly. - properties: - body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." - type: string - statusCode: - description: StatusCode is the HTTP response status to be - returned. - maximum: 599 - minimum: 200 - type: integer - required: - - statusCode - type: object - enableWebsockets: - description: Enables websocket support for the route. - type: boolean - healthCheckPolicy: - description: The health check policy for this route. - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. - type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks - on upstream service - type: string - timeoutSeconds: - description: The time to wait (seconds) for a health check - response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - loadBalancerPolicy: - description: The load balancing policy for this route. - properties: - requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back the the default `RoundRobin`. - items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. - properties: - hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. - type: boolean - headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. - properties: - headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. - minLength: 1 - type: string - type: object - queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. - properties: - parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. - minLength: 1 - type: string - type: object - terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. - type: boolean - type: object - type: array - strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. - type: string - type: object - pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. - properties: - replacePrefix: - description: ReplacePrefix describes how the path prefix - should be replaced. - items: - description: ReplacePrefix describes a path prefix replacement. - properties: - prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." - minLength: 1 - type: string - replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. - minLength: 1 - type: string - required: - - replacement - type: object - type: array - type: object - permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. - type: boolean - rateLimitPolicy: - description: The policy for rate limiting on the route. - properties: - global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. - properties: - descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. - items: - description: RateLimitDescriptor defines a list of - key-value pair generators. - properties: - entries: - description: Entries is the list of key-value - pair generators. - items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. - properties: - genericKey: - description: GenericKey defines a descriptor - entry with a static key and value. - properties: - key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". - type: string - value: - description: Value defines the value - of the descriptor entry. - minLength: 1 - type: string - type: object - remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). - type: object - requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. - properties: - descriptorKey: - description: DescriptorKey defines the - key to use on the descriptor entry. - minLength: 1 - type: string - headerName: - description: HeaderName defines the - name of the header to look for on - the request. - minLength: 1 - type: string - type: object - requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. - properties: - expectMatch: - default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. - type: boolean - headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. - items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, but only one of the - remaining fields should be be provided. - properties: - contains: - description: Contains specifies - a substring that must be present - in the header value. - type: string - exact: - description: Exact specifies a - string that the header value - must be equal to. - type: string - name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. - type: string - notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. - type: string - notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. - type: string - notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. - type: boolean - present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. - type: boolean - required: - - name - type: object - minItems: 1 - type: array - value: - description: Value defines the value - of the descriptor entry. - minLength: 1 - type: string - type: object - type: object - minItems: 1 - type: array - type: object - minItems: 1 - type: array - type: object - local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. - properties: - burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. - format: int32 - type: integer - requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. - format: int32 - minimum: 1 - type: integer - responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. - format: int32 - maximum: 599 - minimum: 400 - type: integer - unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". - enum: - - second - - minute - - hour - type: string - required: - - requests - - unit - type: object - type: object - requestHeadersPolicy: - description: The policy for managing request headers during - proxying. - properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - requestRedirectPolicy: - description: RequestRedirectPolicy defines an HTTP redirection. - properties: - hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." - pattern: ^\/.*$ - type: string - port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." - pattern: ^\/.*$ - type: string - scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. - enum: - - http - - https - type: string - statusCode: - default: 302 - description: StatusCode is the HTTP status code to be used - in response. - enum: - - 301 - - 302 - type: integer - type: object - responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. - properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - retryPolicy: - description: The retry policy for this route. - properties: - count: - default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. - format: int64 - minimum: -1 - type: integer - perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." - items: - format: int32 - type: integer - type: array - retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" - items: - description: RetryOn is a string type alias with validation - to ensure that the value is valid. - enum: - - 5xx - - gateway-error - - reset - - connect-failure - - retriable-4xx - - refused-stream - - retriable-status-codes - - retriable-headers - - cancelled - - deadline-exceeded - - internal - - resource-exhausted - - unavailable - type: string - type: array - type: object - services: - description: Services are the services to proxy traffic. - items: - description: Service defines an Kubernetes Service to proxy - traffic. - properties: - cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header - attributes. - items: - properties: - domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. - properties: - value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - value - type: object - name: - description: Name is the name of the cookie for - which attributes will be rewritten. - maxLength: 4096 - minLength: 1 - pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. - properties: - value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - required: - - value - type: object - sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. - enum: - - Strict - - Lax - - None - type: string - secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. - type: boolean - required: - - name - type: object - type: array - mirror: - description: If Mirror is true the Service will receive - a read only mirror of the traffic for this route. - type: boolean - name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. - type: string - port: - description: Port (defined as Integer) to proxy traffic - to since a service can have multiple defined. - exclusiveMaximum: true - maximum: 65536 - minimum: 1 - type: integer - protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. - enum: - - h2 - - h2c - - tls - type: string - requestHeadersPolicy: - description: The policy for managing request headers during - proxying. Rewriting the 'Host' header is not supported. - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a - header specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a - header specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - validation: - description: UpstreamValidation defines how to verify - the backend service's certificate - properties: - caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. - type: string - subjectName: - description: Key which is expected to be present in - the 'subjectAltName' of the presented certificate. - type: string - required: - - caSecret - - subjectName - type: object - weight: - description: Weight defines percentage of traffic to balance - traffic - format: int64 - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - timeoutPolicy: - description: The timeout policy for this route. - properties: - idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - type: object - type: array - tcpproxy: - description: TCPProxy holds TCP proxy information. - properties: - healthCheckPolicy: - description: The health check policy for this tcp proxy - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int32 - type: integer - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - timeoutSeconds: - description: The time to wait (seconds) for a health check - response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int32 - type: integer - type: object - include: - description: Include specifies that this tcpproxy should be delegated - to another HTTPProxy. - properties: - name: - description: Name of the child HTTPProxy - type: string - namespace: - description: Namespace of the HTTPProxy to include. Defaults - to the current namespace if not supplied. - type: string - required: - - name - type: object - includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." - properties: - name: - description: Name of the child HTTPProxy - type: string - namespace: - description: Namespace of the HTTPProxy to include. Defaults - to the current namespace if not supplied. - type: string - required: - - name - type: object - loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. - properties: - requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back the the default `RoundRobin`. - items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. - properties: - hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. - type: boolean - headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. - properties: - headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. - minLength: 1 - type: string - type: object - queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. - properties: - parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. - minLength: 1 - type: string - type: object - terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. - type: boolean - type: object - type: array - strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, - and `RequestHash`. If an unknown strategy name is specified - or no policy is supplied, the default `RoundRobin` policy - is used. - type: string - type: object - services: - description: Services are the services to proxy traffic - items: - description: Service defines an Kubernetes Service to proxy - traffic. - properties: - cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header - attributes. - items: - properties: - domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. - properties: - value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - value - type: object - name: - description: Name is the name of the cookie for which - attributes will be rewritten. - maxLength: 4096 - minLength: 1 - pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. - properties: - value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. - maxLength: 4096 - minLength: 1 - pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ - type: string - required: - - value - type: object - sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. - enum: - - Strict - - Lax - - None - type: string - secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. - type: boolean - required: - - name - type: object - type: array - mirror: - description: If Mirror is true the Service will receive - a read only mirror of the traffic for this route. - type: boolean - name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. - type: string - port: - description: Port (defined as Integer) to proxy traffic - to since a service can have multiple defined. - exclusiveMaximum: true - maximum: 65536 - minimum: 1 - type: integer - protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. - enum: - - h2 - - h2c - - tls - type: string - requestHeadersPolicy: - description: The policy for managing request headers during - proxying. Rewriting the 'Host' header is not supported. - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - validation: - description: UpstreamValidation defines how to verify the - backend service's certificate - properties: - caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. - type: string - subjectName: - description: Key which is expected to be present in - the 'subjectAltName' of the presented certificate. - type: string - required: - - caSecret - - subjectName - type: object - weight: - description: Weight defines percentage of traffic to balance - traffic - format: int64 - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - type: object - virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. - properties: - authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. - properties: - authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. - properties: - context: - additionalProperties: - type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. - type: object - disabled: - description: When true, this field disables client request - authentication for the scope of the policy. - type: boolean - type: object - extensionRef: - description: ExtensionServiceRef specifies the extension resource - that will authorize client requests. - properties: - apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used - minLength: 1 - type: string - name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - minLength: 1 - type: string - namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" - minLength: 1 - type: string - type: object - failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications - from internal authorization to Contour external authorization. - type: boolean - responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - withRequestBody: - description: WithRequestBody specifies configuration for sending - the client request's body to authorization server. - properties: - allowPartialMessage: - description: If AllowPartialMessage is true, then Envoy - will buffer the body until MaxRequestBytes are reached. - type: boolean - maxRequestBytes: - default: 1024 - description: MaxRequestBytes sets the maximum size of - message body ExtAuthz filter will hold in-memory. - format: int32 - minimum: 1 - type: integer - packAsBytes: - description: If PackAsBytes is true, the body sent to - Authorization Server is in raw bytes. - type: boolean - type: object - required: - - extensionRef - type: object - corsPolicy: - description: Specifies the cross-origin policy to apply to the - VirtualHost. - properties: - allowCredentials: - description: Specifies whether the resource allows credentials. - type: boolean - allowHeaders: - description: AllowHeaders specifies the content for the *access-control-allow-headers* - header. - items: - description: CORSHeaderValue specifies the value of the - string headers returned by a cross-domain request. - pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ - type: string - type: array - allowMethods: - description: AllowMethods specifies the content for the *access-control-allow-methods* - header. - items: - description: CORSHeaderValue specifies the value of the - string headers returned by a cross-domain request. - pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ - type: string - type: array - allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. "*" means allow any origin. - items: - type: string - type: array - exposeHeaders: - description: ExposeHeaders Specifies the content for the *access-control-expose-headers* - header. - items: - description: CORSHeaderValue specifies the value of the - string headers returned by a cross-domain request. - pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ - type: string - type: array - maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. - type: string - required: - - allowMethods - - allowOrigin - type: object - fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - rateLimitPolicy: - description: The policy for rate limiting on the virtual host. - properties: - global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. - properties: - descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. - items: - description: RateLimitDescriptor defines a list of key-value - pair generators. - properties: - entries: - description: Entries is the list of key-value pair - generators. - items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. - properties: - genericKey: - description: GenericKey defines a descriptor - entry with a static key and value. - properties: - key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". - type: string - value: - description: Value defines the value of - the descriptor entry. - minLength: 1 - type: string - type: object - remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). - type: object - requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. - properties: - descriptorKey: - description: DescriptorKey defines the - key to use on the descriptor entry. - minLength: 1 - type: string - headerName: - description: HeaderName defines the name - of the header to look for on the request. - minLength: 1 - type: string - type: object - requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. - properties: - expectMatch: - default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). - The default is true. - type: boolean - headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. - items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - but only one of the remaining fields - should be be provided. - properties: - contains: - description: Contains specifies - a substring that must be present - in the header value. - type: string - exact: - description: Exact specifies a string - that the header value must be - equal to. - type: string - name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. - type: string - notcontains: - description: NotContains specifies - a substring that must not be present - in the header value. - type: string - notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. - type: string - notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. - type: boolean - present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. - type: boolean - required: - - name - type: object - minItems: 1 - type: array - value: - description: Value defines the value of - the descriptor entry. - minLength: 1 - type: string - type: object - type: object - minItems: 1 - type: array - type: object - minItems: 1 - type: array - type: object - local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. - properties: - burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. - format: int32 - type: integer - requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. - format: int32 - minimum: 1 - type: integer - responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. - format: int32 - maximum: 599 - minimum: 400 - type: integer - unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". - enum: - - second - - minute - - hour - type: string - required: - - requests - - unit - type: object - type: object - tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. - properties: - clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n - Note: Setting client certificate validation to be skipped - should be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." - properties: - caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. - minLength: 1 - type: string - crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. - type: boolean - crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. - minLength: 1 - type: string - skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. - type: boolean - type: object - enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. - type: boolean - minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. - type: string - passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. - type: boolean - secretName: - description: SecretName is the name of a TLS secret in the - current namespace. Either SecretName or Passthrough must - be specified, but not both. If specified, the named secret - must contain a matching certificate for the virtual host's - FQDN. - type: string - type: object - required: - - fqdn - type: object - type: object - status: - default: - currentStatus: NotReconciled - description: Waiting for controller - description: Status is a container for computed information about the - HTTPProxy. - properties: - conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." - items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." - properties: - errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentStatus: - type: string - description: - type: string - loadBalancer: - description: LoadBalancer contains the current status of the load - balancer. - properties: - ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. - items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' - properties: - hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) - type: string - ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) - type: string - ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it - items: - properties: - error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific - error values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - port: - description: Port is the port number of the service - port of which status is recorded here - format: int32 - type: integer - protocol: - default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' - type: string - required: - - port - - protocol - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: tlscertificatedelegations.projectcontour.io -spec: - preserveUnknownFields: false - group: projectcontour.io - names: - kind: TLSCertificateDelegation - listKind: TLSCertificateDelegationList - plural: tlscertificatedelegations - shortNames: - - tlscerts - singular: tlscertificatedelegation - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TLSCertificateDelegationSpec defines the spec of the CRD - properties: - delegations: - items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. - properties: - secretName: - description: required, the name of a secret in the current namespace. - type: string - targetNamespaces: - description: required, the namespaces the authority to reference - the the secret will be delegated to. If TargetNamespaces is - nil or empty, the CertificateDelegation' is ignored. If the - TargetNamespace list contains the character, "*" the secret - will be delegated to all namespaces. - items: - type: string - type: array - required: - - secretName - - targetNamespaces - type: object - type: array - required: - - delegations - type: object - status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. - properties: - conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." - items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." - properties: - errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." - items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." - properties: - message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." - maxLength: 32768 - type: string - reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - message - - reason - - status - - type - type: object - type: array - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: contour-certgen - namespace: projectcontour ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: contour - namespace: projectcontour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: contour-certgen -subjects: -- kind: ServiceAccount - name: contour-certgen - namespace: projectcontour ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: contour-certgen - namespace: projectcontour -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - update ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: contour-certgen-v1.22.3 - namespace: projectcontour -spec: - template: - metadata: - labels: - app: "contour-certgen" - spec: - containers: - - name: contour - image: ghcr.io/projectcontour/contour:v1.22.3 - imagePullPolicy: IfNotPresent - command: - - contour - - certgen - - --kube - - --incluster - - --overwrite - - --secrets-format=compact - - --namespace=$(CONTOUR_NAMESPACE) - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - restartPolicy: Never - serviceAccountName: contour-certgen - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - parallelism: 1 - completions: 1 - backoffLimit: 1 - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: contour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: contour -subjects: -- kind: ServiceAccount - name: contour - namespace: projectcontour ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: contour-rolebinding - namespace: projectcontour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: contour -subjects: -- kind: ServiceAccount - name: contour - namespace: projectcontour - -# The following ClusterRole and Role are generated from kubebuilder RBAC tags by -# generate-rbac.sh. Do not edit this file directly but instead edit the source -# files and re-render. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: contour -rules: -- apiGroups: - - "" - resources: - - endpoints - - namespaces - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - referencepolicies - - tlsroutes - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/status - - gateways/status - - httproutes/status - - tlsroutes/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - create - - get - - update -- apiGroups: - - projectcontour.io - resources: - - contourconfigurations - - extensionservices - - httpproxies - - tlscertificatedelegations - verbs: - - get - - list - - watch -- apiGroups: - - projectcontour.io - resources: - - contourconfigurations/status - - extensionservices/status - - httpproxies/status - verbs: - - create - - get - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - name: contour - namespace: projectcontour -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - ---- -apiVersion: v1 -kind: Service -metadata: - name: contour - namespace: projectcontour -spec: - ports: - - port: 8001 - name: xds - protocol: TCP - targetPort: 8001 - selector: - app: contour - type: ClusterIP - ---- -apiVersion: v1 -kind: Service -metadata: - name: envoy - namespace: projectcontour - annotations: - # This annotation puts the AWS ELB into "TCP" mode so that it does not - # do HTTP negotiation for HTTPS connections at the ELB edge. - # The downside of this is the remote IP address of all connections will - # appear to be the internal address of the ELB. See docs/proxy-proto.md - # for information about enabling the PROXY protocol on the ELB to recover - # the original remote IP address. - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -spec: - externalTrafficPolicy: Local - ports: - - port: 80 - name: http - protocol: TCP - targetPort: 8080 - - port: 443 - name: https - protocol: TCP - targetPort: 8443 - selector: - app: envoy - type: LoadBalancer - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: contour - name: contour - namespace: projectcontour -spec: - replicas: 2 - strategy: - type: RollingUpdate - rollingUpdate: - # This value of maxSurge means that during a rolling update - # the new ReplicaSet will be created first. - maxSurge: 50% - selector: - matchLabels: - app: contour - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8000" - labels: - app: contour - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: contour - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - serve - - --incluster - - --xds-address=0.0.0.0 - - --xds-port=8001 - - --contour-cafile=/certs/ca.crt - - --contour-cert-file=/certs/tls.crt - - --contour-key-file=/certs/tls.key - - --config-path=/config/contour.yaml - command: ["contour"] - image: ghcr.io/projectcontour/contour:v1.22.3 - imagePullPolicy: IfNotPresent - name: contour - ports: - - containerPort: 8001 - name: xds - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - - containerPort: 6060 - name: debug - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: 8000 - readinessProbe: - tcpSocket: - port: 8001 - initialDelaySeconds: 15 - periodSeconds: 10 - volumeMounts: - - name: contourcert - mountPath: /certs - readOnly: true - - name: contour-config - mountPath: /config - readOnly: true - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - dnsPolicy: ClusterFirst - serviceAccountName: contour - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumes: - - name: contourcert - secret: - secretName: contourcert - - name: contour-config - configMap: - name: contour - defaultMode: 0644 - items: - - key: contour.yaml - path: contour.yaml - ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: envoy - name: envoy - namespace: projectcontour -spec: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 10% - selector: - matchLabels: - app: envoy - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8002" - prometheus.io/path: "/stats/prometheus" - labels: - app: envoy - spec: - containers: - - command: - - /bin/contour - args: - - envoy - - shutdown-manager - image: ghcr.io/projectcontour/contour:v1.22.3 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /bin/contour - - envoy - - shutdown - livenessProbe: - httpGet: - path: /healthz - port: 8090 - initialDelaySeconds: 3 - periodSeconds: 10 - name: shutdown-manager - volumeMounts: - - name: envoy-admin - mountPath: /admin - - args: - - -c - - /config/envoy.json - - --service-cluster $(CONTOUR_NAMESPACE) - - --service-node $(ENVOY_POD_NAME) - - --log-level info - command: - - envoy - image: docker.io/envoyproxy/envoy:v1.23.3 - imagePullPolicy: IfNotPresent - name: envoy - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: ENVOY_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - ports: - - containerPort: 8080 - hostPort: 80 - name: http - protocol: TCP - - containerPort: 8443 - hostPort: 443 - name: https - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8002 - initialDelaySeconds: 3 - periodSeconds: 4 - volumeMounts: - - name: envoy-config - mountPath: /config - readOnly: true - - name: envoycert - mountPath: /certs - readOnly: true - - name: envoy-admin - mountPath: /admin - lifecycle: - preStop: - httpGet: - path: /shutdown - port: 8090 - scheme: HTTP - initContainers: - - args: - - bootstrap - - /config/envoy.json - - --xds-address=contour - - --xds-port=8001 - - --xds-resource-version=v3 - - --resources-dir=/config/resources - - --envoy-cafile=/certs/ca.crt - - --envoy-cert-file=/certs/tls.crt - - --envoy-key-file=/certs/tls.key - command: - - contour - image: ghcr.io/projectcontour/contour:v1.22.3 - imagePullPolicy: IfNotPresent - name: envoy-initconfig - volumeMounts: - - name: envoy-config - mountPath: /config - - name: envoycert - mountPath: /certs - readOnly: true - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - automountServiceAccountToken: false - serviceAccountName: envoy - terminationGracePeriodSeconds: 300 - volumes: - - name: envoy-admin - emptyDir: {} - - name: envoy-config - emptyDir: {} - - name: envoycert - secret: - secretName: envoycert - restartPolicy: Always - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/resources.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/resources.yaml deleted file mode 100644 index 01da98c06..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/resources.yaml +++ /dev/null @@ -1,100 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - -#@ package = library.get("upstream") - -#@ def kind_values(): -contour: - replicas: 1 - configFileContents: - default-http-versions: - - "HTTP/1.1" -envoy: - service: - type: ClusterIP - hostPorts: - enable: true -#@ end - -#@ def azure_values(): -envoy: - service: - type: LoadBalancer - externalTrafficPolicy: Cluster - hostPorts: - enable: true -#@ end - -#@ if data.values.clusterInfrastructure.provider == "kind": -#@ package = package.with_data_values(kind_values(), plain=True) -#@ end - -#@ if data.values.clusterInfrastructure.provider == "azure": -#@ package = package.with_data_values(azure_values(), plain=True) -#@ end - -#@ if data.values.clusterInfrastructure.provider in ("docker", "aws", "vsphere", "azure"): -#@ package = package.with_data_values({"infrastructureProvider": data.values.clusterInfrastructure.provider}, plain=True) -#@ end - -#@ package = package.with_data_values(data.values.clusterPackages.contour.settings, plain=True) - ---- #@ template.replace(package.eval()) - -#@ if data.values.clusterSecurity.policyEngine == "pod-security-policies": ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: aa-contour-privileged -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: contour-privileged-psp -rules: -- apiGroups: - - policy - resourceNames: - - aa-contour-privileged - resources: - - podsecuritypolicies - verbs: - - use ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: contour-privileged-psp - namespace: projectcontour -roleRef: - kind: ClusterRole - name: contour-privileged-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: envoy - namespace: projectcontour -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream/install.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream/install.yaml deleted file mode 100644 index c8dd026cf..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream/install.yaml +++ /dev/null @@ -1,31183 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: kyverno ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - namespace: kyverno ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: kyverno - namespace: kyverno -data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-test]" - webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: kyverno-metrics - namespace: kyverno -data: - namespaces: "{\"exclude\":[],\"include\":[]}" ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: admissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: AdmissionReport - listKind: AdmissionReportList - plural: admissionreports - shortNames: - - admr - singular: admissionreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: AdmissionReport is the Schema for the AdmissionReports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: backgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: BackgroundScanReport - listKind: BackgroundScanReportList - plural: backgroundscanreports - shortNames: - - bgscanr - singular: backgroundscanreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: BackgroundScanReport is the Schema for the BackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: cleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: CleanupPolicy - listKind: CleanupPolicyList - plural: cleanuppolicies - shortNames: - - cleanpol - singular: cleanuppolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: clusteradmissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterAdmissionReport - listKind: ClusterAdmissionReportList - plural: clusteradmissionreports - shortNames: - - cadmr - singular: clusteradmissionreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: clusterbackgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterBackgroundScanReport - listKind: ClusterBackgroundScanReportList - plural: clusterbackgroundscanreports - shortNames: - - cbgscanr - singular: clusterbackgroundscanreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: clustercleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterCleanupPolicy - listKind: ClusterCleanupPolicyList - plural: clustercleanuppolicies - shortNames: - - ccleanpol - singular: clustercleanuppolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: clusterpolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterPolicy - listKind: ClusterPolicyList - plural: clusterpolicies - shortNames: - - cpol - singular: clusterpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.background - name: Background - type: boolean - - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.rulecount.validate - name: Validate - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: Mutate - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: Generate - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: Verifyimages - priority: 1 - type: integer - name: v1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an optional - PEM encoded set of certificates used - to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one or more public - keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: Autogen contains autogen status information - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - AttestorSet used to specify a - more complex set of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is - an optional PEM encoded public - certificate. - type: string - certChain: - description: CertificateChain - is an optional PEM encoded - set of certificates used to - verify - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one - or more public keys - properties: - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha256 - and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type - of Predicate contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. - type: string - key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - type: object - type: array - type: object - conditions: - description: Conditions is a list of conditions that apply to the - policy - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCount describes total number of rules in a policy - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.background - name: Background - type: boolean - - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.rulecount.validate - name: Validate - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: Mutate - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: Generate - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: Verifyimages - priority: 1 - type: integer - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an optional - PEM encoded set of certificates used - to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one or more public - keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: Autogen contains autogen status information - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - AttestorSet used to specify a - more complex set of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is - an optional PEM encoded public - certificate. - type: string - certChain: - description: CertificateChain - is an optional PEM encoded - set of certificates used to - verify - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one - or more public keys - properties: - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha256 - and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type - of Predicate contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. - type: string - key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - type: object - type: array - type: object - conditions: - description: Conditions is a list of conditions that apply to the - policy - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCount describes total number of rules in a policy - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: generaterequests.kyverno.io -spec: - group: kyverno.io - names: - kind: GenerateRequest - listKind: GenerateRequestList - plural: generaterequests - shortNames: - - gr - singular: generaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: GenerateRequest is a request to process generate rule. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the information to identify the generate request. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - type: string - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - policy: - description: Specifies the name of the policy. - type: string - resource: - description: ResourceSpec is the information to identify the generate - request. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - required: - - context - - policy - - resource - type: object - status: - description: Status contains statistics related to generate request. - properties: - generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - message: - description: Specifies request status message. - type: string - state: - description: State represents state of the generate request. - type: string - required: - - state - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: policies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.background - name: Background - type: boolean - - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.rulecount.validate - name: Validate - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: Mutate - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: Generate - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: Verifyimages - priority: 1 - type: integer - name: v1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an optional - PEM encoded set of certificates used - to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one or more public - keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint - properties: - autogen: - description: Autogen contains autogen status information - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - AttestorSet used to specify a - more complex set of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is - an optional PEM encoded public - certificate. - type: string - certChain: - description: CertificateChain - is an optional PEM encoded - set of certificates used to - verify - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one - or more public keys - properties: - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha256 - and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type - of Predicate contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. - type: string - key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - type: object - type: array - type: object - conditions: - description: Conditions is a list of conditions that apply to the - policy - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCount describes total number of rules in a policy - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.background - name: Background - type: boolean - - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.rulecount.validate - name: Validate - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: Mutate - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: Generate - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: Verifyimages - priority: 1 - type: integer - name: v2beta1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). - type: boolean - failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". - type: boolean - rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. - properties: - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. - type: string - reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. - type: object - match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image - details. - properties: - jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. - properties: - attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. - items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type of Predicate - contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of match - authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an optional - PEM encoded set of certificates used - to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one or more public - keys - properties: - kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address of - the transparency log. Defaults to - the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - type: object - type: array - schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. - type: boolean - validationFailureAction: - default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaces: - items: - type: string - type: array - type: object - type: array - webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: Autogen contains autogen status information - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. - type: string - urlPath: - description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. - properties: - jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - type: object - imageExtractors: - additionalProperties: - items: - properties: - key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. - type: string - name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. - type: string - path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. - type: string - value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. - type: object - match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' - type: string - names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. - type: string - kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. - properties: - apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. - type: string - urlPath: - description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. - type: string - required: - - urlPath - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. - properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing - the image reference. - type: string - reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set - of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is - an optional PEM encoded set of - certificates used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. - type: object - attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. - items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities) - items: - properties: - count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. - type: object - attestor: - description: Attestor is a nested - AttestorSet used to specify a - more complex set of match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates - properties: - cert: - description: Certificate is - an optional PEM encoded public - certificate. - type: string - certChain: - description: CertificateChain - is an optional PEM encoded - set of certificates used to - verify - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address - type: string - type: object - keys: - description: Keys specifies one - or more public keys - properties: - kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. - type: string - rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the - address of the transparency - log. Defaults to the public - log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha256 - and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. - items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. - properties: - all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: PredicateType defines the type - of Predicate contained within the Statement. - type: string - required: - - predicateType - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. - minimum: 1 - type: integer - entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested AttestorSet - used to specify a more complex set of - match authorities - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates - properties: - cert: - description: Certificate is an optional - PEM encoded public certificate. - type: string - certChain: - description: CertificateChain is an - optional PEM encoded set of certificates - used to verify - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - type: object - keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address - type: string - type: object - keys: - description: Keys specifies one or more - public keys - properties: - kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' - type: string - publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. - type: string - rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. - properties: - url: - description: URL is the address - of the transparency log. Defaults - to the public log https://rekor.sigstore.dev. - type: string - required: - - url - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha256 and sha512 - type: string - type: object - repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' - type: string - imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' - items: - type: string - type: array - issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. - type: string - key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. - type: boolean - repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. - type: string - subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. - type: string - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - type: object - type: array - type: object - conditions: - description: Conditions is a list of conditions that apply to the - policy - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions - type: boolean - rulecount: - description: RuleCount describes total number of rules in a policy - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: policyexceptions.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: PolicyException - listKind: PolicyExceptionList - plural: policyexceptions - shortNames: - - polex - singular: policyexception - scope: Namespaced - versions: - - name: v2alpha1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' - type: string - names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - items: - type: string - type: array - selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. - type: string - kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: updaterequests.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: UpdateRequest - listKind: UpdateRequestList - plural: updaterequests - shortNames: - - ur - singular: updaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.requestType - name: RuleType - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: UpdateRequest is a request to process mutate and generate rules - in background. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the information to identify the update request. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - description: AdmissionRequest describes the admission.Attributes - for the admission request. - properties: - dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. - type: boolean - kind: - description: Kind is the fully-qualified type of object - being submitted (for example, v1.Pod or autoscaling.v1.Scale) - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. - type: string - namespace: - description: Namespace is the namespace associated with - the request (if any). - type: string - object: - description: Object is the object from the incoming request. - type: object - x-kubernetes-preserve-unknown-fields: true - oldObject: - description: OldObject is the existing object. Only populated - for DELETE and UPDATE requests. - type: object - x-kubernetes-preserve-unknown-fields: true - operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. - type: string - options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. - type: object - x-kubernetes-preserve-unknown-fields: true - requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. - type: string - resource: - description: Resource is the fully-qualified resource - being requested (for example, v1.pods) - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - subResource: - description: SubResource is the subresource being requested, - if any (for example, "status" or "scale") - type: string - uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. - type: string - userInfo: - description: UserInfo is information about the requesting - user - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by - the authenticator. - type: object - groups: - description: The names of groups this user is a part - of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this - user among all active users. - type: string - type: object - required: - - kind - - operation - - resource - - uid - - userInfo - type: object - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - policy: - description: Specifies the name of the policy. - type: string - requestType: - description: Type represents request type for background processing - enum: - - mutate - - generate - type: string - resource: - description: ResourceSpec is the information to identify the update - request. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - required: - - context - - policy - - resource - type: object - status: - description: Status contains statistics related to update request. - properties: - generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - handler: - description: Handler represents the instance ID that handles the UR - Deprecated - type: string - message: - description: Specifies request status message. - type: string - state: - description: State represents state of the update request. - type: string - required: - - state - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: clusterpolicyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: ClusterPolicyReport - listKind: ClusterPolicyReportList - plural: clusterpolicyreports - shortNames: - - cpolr - singular: clusterpolicyreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: policyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: PolicyReport - listKind: PolicyReportList - plural: policyreports - shortNames: - - polr - singular: policyreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-policies - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - policies - - clusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-policyreport - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-reports - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-generaterequest - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - generaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-updaterequest - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:cleanup-controller:core - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - clustercleanuppolicies - - cleanuppolicies - - clustercleanuppolicies/* - - cleanuppolicies/* - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app: kyverno - app.kubernetes.io/name: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:userinfo - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - watch - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:policies - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - policies - - policies/status - - clusterpolicies - - clusterpolicies/status - - generaterequests - - generaterequests/status - - updaterequests - - updaterequests/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:view - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:generate - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingressclasses - - networkpolicies - verbs: - - create - - update - - patch - - delete - - apiGroups: - - '' - resources: - - namespaces - - configmaps - - secrets - - resourcequotas - - limitranges - verbs: - - create - - update - - patch - - delete - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:events - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:webhook - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:cleanup-controller -subjects: -- kind: ServiceAccount - name: kyverno-cleanup-controller - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno -subjects: -- kind: ServiceAccount - name: kyverno - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - namespace: kyverno -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update -- apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kyverno:leaderelection - namespace: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - patch - - update - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - namespace: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:cleanup-controller -subjects: -- kind: ServiceAccount - name: kyverno-cleanup-controller - namespace: kyverno ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:leaderelection - namespace: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kyverno:leaderelection -subjects: -- kind: ServiceAccount - name: kyverno - namespace: kyverno ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-cleanup-controller - namespace: kyverno - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-cleanup-controller-metrics - namespace: kyverno - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app: kyverno - app.kubernetes.io/name: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc-metrics - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app: kyverno - app.kubernetes.io/name: kyverno - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-cleanup-controller - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - namespace: kyverno -spec: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - template: - metadata: - labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller - app.kubernetes.io/instance: kyverno - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-cleanup-controller - containers: - - name: controller - image: "ghcr.io/kyverno/cleanup-controller:v1.9.2" - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - args: - - --loggingFormat=text - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - env: - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_SVC - value: kyverno-cleanup-controller - resources: - limits: - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno -spec: - selector: - matchLabels: - app: kyverno - app.kubernetes.io/name: kyverno - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - 'kyverno' - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno - dnsPolicy: ClusterFirst - initContainers: - - name: kyverno-pre - image: "ghcr.io/kyverno/kyvernopre:v1.9.2" - imagePullPolicy: IfNotPresent - args: - - --loggingFormat=text - resources: - limits: - cpu: 100m - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - env: - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_DEPLOYMENT - value: kyverno - containers: - - name: kyverno - image: "ghcr.io/kyverno/kyverno:v1.9.2" - imagePullPolicy: IfNotPresent - args: - - --loggingFormat=text - - --exceptionNamespace=kyverno - resources: - limits: - memory: 384Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics-port - protocol: TCP - env: - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno - - name: KYVERNO_SVC - value: kyverno-svc - - name: TUF_ROOT - value: /.sigstore - - name: KYVERNO_DEPLOYMENT - value: kyverno - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /.sigstore - name: sigstore - volumes: - - name: sigstore - emptyDir: {} diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/overlays.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/overlays.yaml deleted file mode 100644 index da3676ea0..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/overlays.yaml +++ /dev/null @@ -1,10 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:overlay", "overlay") - -#@ if hasattr(data.values.clusterPackages.kyverno.settings, "replicaCount") and data.values.clusterPackages.kyverno.settings.replicaCount: -#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "kyverno", "namespace": "kyverno"}}) ---- -spec: - #@overlay/match missing_ok=True - replicas: #@ data.values.clusterPackages.kyverno.settings.replicaCount -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/resources.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/resources.yaml deleted file mode 100644 index c9a0fc254..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/resources.yaml +++ /dev/null @@ -1,8 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - -#@ package = library.get("upstream") -#@ package = package.with_data_values(data.values.clusterPackages.kyverno.settings, plain=True) - ---- #@ template.replace(package.eval()) diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-crds-v1.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-crds-v1.yaml deleted file mode 100644 index 71892f44e..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-crds-v1.yaml +++ /dev/null @@ -1,534 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "api-approved.kubernetes.io": "unapproved, request not yet submitted" - name: compositecontrollers.metacontroller.k8s.io -spec: - group: metacontroller.k8s.io - names: - kind: CompositeController - listKind: CompositeControllerList - plural: compositecontrollers - shortNames: - - cc - - cctl - singular: compositecontroller - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - childResources: - items: - properties: - apiVersion: - type: string - resource: - type: string - updateStrategy: - properties: - method: - type: string - statusChecks: - properties: - conditions: - items: - properties: - reason: - type: string - status: - type: string - type: - type: string - required: - - type - type: object - type: array - type: object - type: object - required: - - apiVersion - - resource - type: object - type: array - generateSelector: - type: boolean - hooks: - properties: - customize: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - finalize: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - postUpdateChild: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - preUpdateChild: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - sync: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - type: object - parentResource: - properties: - apiVersion: - type: string - resource: - type: string - revisionHistory: - properties: - fieldPaths: - items: - type: string - type: array - type: object - required: - - apiVersion - - resource - type: object - resyncPeriodSeconds: - format: int32 - type: integer - required: - - parentResource - type: object - status: - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "api-approved.kubernetes.io": "unapproved, request not yet submitted" - name: controllerrevisions.metacontroller.k8s.io -spec: - group: metacontroller.k8s.io - names: - kind: ControllerRevision - listKind: ControllerRevisionList - plural: controllerrevisions - singular: controllerrevision - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - children: - items: - properties: - apiGroup: - type: string - kind: - type: string - names: - items: - type: string - type: array - required: - - apiGroup - - kind - - names - type: object - type: array - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - parentPatch: - type: object - required: - - metadata - - parentPatch - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "api-approved.kubernetes.io": "unapproved, request not yet submitted" - name: decoratorcontrollers.metacontroller.k8s.io -spec: - group: metacontroller.k8s.io - names: - kind: DecoratorController - listKind: DecoratorControllerList - plural: decoratorcontrollers - shortNames: - - dec - - decorators - singular: decoratorcontroller - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - attachments: - items: - properties: - apiVersion: - type: string - resource: - type: string - updateStrategy: - properties: - method: - type: string - type: object - required: - - apiVersion - - resource - type: object - type: array - hooks: - properties: - customize: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - finalize: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - sync: - properties: - webhook: - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - type: object - resources: - items: - properties: - annotationSelector: - properties: - matchAnnotations: - additionalProperties: - type: string - type: object - matchExpressions: - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - apiVersion: - type: string - labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - resource: - type: string - required: - - apiVersion - - resource - type: object - type: array - resyncPeriodSeconds: - format: int32 - type: integer - required: - - resources - type: object - status: - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-rbac.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-rbac.yaml deleted file mode 100644 index a49e84a52..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-rbac.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metacontroller - namespace: metacontroller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metacontroller -rules: -- apiGroups: - - "*" - resources: - - "*" - verbs: - - "*" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metacontroller -subjects: -- kind: ServiceAccount - name: metacontroller - namespace: metacontroller -roleRef: - kind: ClusterRole - name: metacontroller - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: aggregate-metacontroller-view - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: -- apiGroups: - - metacontroller.k8s.io - resources: - - compositecontrollers - - controllerrevisions - - decoratorcontrollers - verbs: - - get - - list - - watch ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: aggregate-metacontroller-edit - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" -rules: -- apiGroups: - - metacontroller.k8s.io - resources: - - controllerrevisions - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller.yaml deleted file mode 100644 index 69b620fb2..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app.kubernetes.io/name: metacontroller - name: metacontroller - namespace: metacontroller -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: metacontroller - serviceName: "" - template: - metadata: - labels: - app.kubernetes.io/name: metacontroller - spec: - serviceAccountName: metacontroller - containers: - - name: metacontroller - image: metacontrollerio/metacontroller:v4.2.0 - command: ["/usr/bin/metacontroller"] - args: - - --zap-log-level=4 - - --discovery-interval=20s - volumeClaimTemplates: [] diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/resources.yaml b/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/resources.yaml deleted file mode 100644 index f5a24eebb..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/resources.yaml +++ /dev/null @@ -1,8 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - -#@ package = library.get("upstream") -#@ package = package.with_data_values(data.values.clusterPackages.metacontroller.settings, plain=True) - ---- #@ template.replace(package.eval()) diff --git a/carvel-packages/cluster-essentials/bundle/config/packages.yaml b/carvel-packages/cluster-essentials/bundle/config/packages.yaml deleted file mode 100644 index 7769944cb..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/packages.yaml +++ /dev/null @@ -1,10 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - -#@ for name in data.values.clusterPackages: -#@ package = data.values.clusterPackages[name] -#@ if package.enabled: ---- #@ template.replace(library.get(name).with_data_values(data.values, plain=True).eval()) -#@ end -#@ end diff --git a/carvel-packages/cluster-essentials/bundle/config/schema.yaml b/carvel-packages/cluster-essentials/bundle/config/schema.yaml deleted file mode 100644 index 6f69e9b2e..000000000 --- a/carvel-packages/cluster-essentials/bundle/config/schema.yaml +++ /dev/null @@ -1,39 +0,0 @@ -#@data/values-schema ---- - -#! Packages required to be installed into the cluster for Educates. This -#! installer for the packages is provided as a convenience and you can choose -#! to still install the packages yourself, in which case you should override -#! the packages to be excluded by this installer. - -clusterPackages: - - contour: - enabled: true - #@schema/type any=True - settings: {} - - kyverno: - enabled: true - #@schema/type any=True - settings: {} - - metacontroller: - enabled: false - #@schema/type any=True - settings: {} - -#! Details about the cluster infrastucture. The only option for the provider -#! which is currently checked is "kind". - -clusterInfrastructure: - - provider: "" - -#! Policy engine used to enforce security. Options are "pod-security-policies", -#! "pod-security-standards", "security-context-constraints", "kyverno" and -#! "none". - -clusterSecurity: - - policyEngine: "none" diff --git a/carvel-packages/cluster-essentials/config/metadata.yaml b/carvel-packages/cluster-essentials/config/metadata.yaml deleted file mode 100644 index 5f57dd0bc..000000000 --- a/carvel-packages/cluster-essentials/config/metadata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: PackageMetadata -metadata: - name: cluster-essentials.educates.dev - namespace: educates-package -spec: - displayName: "Educates Cluster Essentials" - shortDescription: "Set of packages required to be installed to the cluster for Educates." - providerName: VMware - maintainers: - - name: "Graham Dumpleton" diff --git a/carvel-packages/cluster-essentials/config/package.yaml b/carvel-packages/cluster-essentials/config/package.yaml deleted file mode 100644 index 6670767ad..000000000 --- a/carvel-packages/cluster-essentials/config/package.yaml +++ /dev/null @@ -1,42 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:yaml", "yaml") - -#@ def bundle_reference(): -#@ registry = data.values.imageRegistry.host -#@ if not registry or registry == "localhost:5001": -#@ registry = "registry.default.svc.cluster.local" -#@ end -#@ if data.values.imageRegistry.namespace: -#@ registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) -#@ end -#@ return "{}/educates-cluster-essentials:{}".format(registry, data.values.version) -#@ end - ---- -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: #@ "cluster-essentials.educates.dev.{}".format(data.values.version) -spec: - refName: cluster-essentials.educates.dev - version: #@ data.values.version - releasedAt: #@ data.values.releasedAt - valuesSchema: - openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"] - template: - spec: - fetch: - - imgpkgBundle: - image: #@ bundle_reference() - template: - - ytt: - paths: - - "config" - - kbld: - paths: - - ".imgpkg/images.yml" - - "-" - deploy: - - kapp: - rawOptions: - - "--app-changes-max-to-keep=5" diff --git a/carvel-packages/cluster-essentials/config/schema.yaml b/carvel-packages/cluster-essentials/config/schema.yaml deleted file mode 100644 index c55e3cbc9..000000000 --- a/carvel-packages/cluster-essentials/config/schema.yaml +++ /dev/null @@ -1,12 +0,0 @@ -#@data/values-schema ---- - -version: latest - -imageRegistry: - host: "localhost" - namespace: "" - -releasedAt: "" - -openapi: "" diff --git a/carvel-packages/installer/bundle/.imgpkg/.gitkeep b/carvel-packages/installer/bundle/.imgpkg/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-apiservices.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-apiservices.yaml new file mode 100644 index 000000000..81d63d22a --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-apiservices.yaml @@ -0,0 +1,16 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, caBundle] + - [spec, group] + - [spec, groupPriorityMinimum] + - [spec, service, name] + - [spec, service, namespace] + - [spec, service, port] + - [spec, version] + - [spec, versionPriority] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apiregistration.k8s.io/v1, kind: APIService } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-clusterpolicy.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-clusterpolicy.yaml new file mode 100644 index 000000000..306e1ac63 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-clusterpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, admission] + - [spec, rules, { allIndexes: true }, skipBackgroundRequests] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: kyverno.io/v1, kind: ClusterPolicy } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-crds.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-crds.yaml new file mode 100644 index 000000000..c5a3d39c1 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-crds.yaml @@ -0,0 +1,55 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - path: [spec, conversion, strategy] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } + - path: [spec, preserveUnknownFields] + type: remove + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } + #! The rule below is like removing it + - path: [spec, preserveUnknownFields] + type: copy + sources: [existing] + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } + - paths: + - [ + spec, + versions, + { allIndexes: true }, + additionalPrinterColumns, + { allIndexes: true }, + priority, + ] + type: remove + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } + #! The rule below is like removing it + - paths: + - [ + spec, + versions, + { allIndexes: true }, + additionalPrinterColumns, + { allIndexes: true }, + priority, + ] + type: copy + sources: [existing] + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } + - path: [spec, names, listKind] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: apiextensions.k8s.io/v1, kind: CustomResourceDefinition } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-daemonset.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-daemonset.yaml new file mode 100644 index 000000000..077824e63 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-daemonset.yaml @@ -0,0 +1,37 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, selector, matchLabels, "kapp.k14s.io/app"] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: DaemonSet } + - paths: + - [metadata, annotations, "deprecated.daemonset.template.generation"] + - [spec, revisionHistoryLimit] + - [spec, updateStrategy] + - [spec, template, metadata, creationTimestamp] + - [spec, template, spec, containers, { allIndexes: true }, livenessProbe] + - [spec, template, spec, containers, { allIndexes: true }, readinessProbe] + - [spec, template, spec, containers, { allIndexes: true }, startupProbe] + - [spec, template, spec, containers, { allIndexes: true }, resources] + - [spec, template, spec, containers, { allIndexes: true }, env] + - [spec, template, spec, containers, { allIndexes: true }, terminationMessagePath] + - [spec, template, spec, containers, { allIndexes: true }, terminationMessagePolicy] + - [spec, template, spec, containers, { allIndexes: true }, securityContext] + - [spec, template, spec, securityContext] + - [spec, template, spec, dnsPolicy] + - [spec, template, spec, initContainers, { allIndexes: true }, resources] + - [spec, template, spec, initContainers, { allIndexes: true }, env] + - [spec, template, spec, initContainers, { allIndexes: true }, terminationMessagePath] + - [spec, template, spec, initContainers, { allIndexes: true }, terminationMessagePolicy] + - [spec, template, spec, restartPolicy] + - [spec, template, spec, schedulerName] + - [spec, template, spec, serviceAccount] + - [spec, template, spec, terminationGracePeriodSeconds] + - [spec, template, spec, volumes, { allIndexes: true }, secret, defaultMode] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: DaemonSet } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-deployment.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-deployment.yaml new file mode 100644 index 000000000..8f8b8a328 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, selector, matchLabels, "kapp.k14s.io/app"] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: Deployment } + - paths: + - [spec, replicas] + - [spec, strategy] + - [spec, progressDeadlineSeconds] + - [spec, revisionHistoryLimit] + - [spec, template, metadata, creationTimestamp] + - [spec, template, spec, containers, { allIndexes: true }, livenessProbe] + - [spec, template, spec, containers, { allIndexes: true }, readinessProbe] + - [spec, template, spec, containers, { allIndexes: true }, startupProbe] + - [spec, template, spec, containers, { allIndexes: true }, env] + - [spec, template, spec, containers, { allIndexes: true }, imagePullPolicy] + - [spec, template, spec, containers, { allIndexes: true }, resources] + - [spec, template, spec, containers, { allIndexes: true }, securityContext] + - [spec, template, spec, containers, { allIndexes: true }, terminationMessagePath] + - [spec, template, spec, containers, { allIndexes: true }, terminationMessagePolicy] + - [spec, template, spec, initContainers, { allIndexes: true }, env] + - [spec, template, spec, initContainers, { allIndexes: true }, imagePullPolicy] + - [spec, template, spec, initContainers, { allIndexes: true }, resources] + - [spec, template, spec, initContainers, { allIndexes: true }, securityContext] + - [spec, template, spec, initContainers, { allIndexes: true }, terminationMessagePath] + - [spec, template, spec, initContainers, { allIndexes: true }, terminationMessagePolicy] + - [spec, template, spec, securityContext] + - [spec, template, spec, dnsPolicy] + - [spec, template, spec, restartPolicy] + - [spec, template, spec, schedulerName] + - [spec, template, spec, serviceAccount] + - [spec, template, spec, serviceAccountName] + - [spec, template, spec, terminationGracePeriodSeconds] + - [spec, template, spec, volumes, { allIndexes: true }, secret, defaultMode] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: Deployment } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-educates.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-educates.yaml new file mode 100644 index 000000000..38f8ef6a6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-educates.yaml @@ -0,0 +1,20 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [metadata, annotations, "kopf.zalando.org/last-handled-configuration"] + - [spec, rules, { allIndexes: true }, reclaimPolicy] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: secrets.educates.dev/v1beta1, kind: SecretCopier } + - apiVersionKindMatcher: { apiVersion: secrets.educates.dev/v1beta1, kind: SecretInjector } + - paths: + - [data] + - [metadata, annotations, "kubernetes.io/service-account.uid"] + - [metadata, labels, "kubernetes.io/legacy-token-last-used"] + type: copy + sources: [existing, new] + resourceMatchers: + - kindNamespaceNameMatcher: { kind: Secret, name: secrets-manager-token, namespace: educates } + - kindNamespaceNameMatcher: { kind: Secret, name: session-manager-token, namespace: educates } \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-installer-labels.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-installer-labels.yaml new file mode 100644 index 000000000..f7d5d5139 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-installer-labels.yaml @@ -0,0 +1,17 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, selector, matchLabels] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: DaemonSet } + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: Deployment } + - paths: + - [spec, selector] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: v1, kind: Service } + - apiVersionKindMatcher: { apiVersion: apps/v1, kind: Deployment } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-jobs.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-jobs.yaml new file mode 100644 index 000000000..4e7cf5d3f --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-jobs.yaml @@ -0,0 +1,86 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, jobTemplate, metadata, creationTimestamp] + - [spec, jobTemplate, spec, template, metadata, creationTimestamp] + - [spec, jobTemplate, spec, template, spec, containers, { allIndexes: true }, imagePullPolicy] + - [spec, jobTemplate, spec, template, spec, containers, { allIndexes: true }, resources] + - [ + spec, + jobTemplate, + spec, + template, + spec, + containers, + { allIndexes: true }, + terminationMessagePath, + ] + - [ + spec, + jobTemplate, + spec, + template, + spec, + containers, + { allIndexes: true }, + terminationMessagePolicy, + ] + - [spec, jobTemplate, spec, template, spec, securityContext] + - [spec, jobTemplate, spec, template, spec, dnsPolicy] + - [spec, jobTemplate, spec, template, spec, restartPolicy] + - [spec, jobTemplate, spec, template, spec, schedulerName] + - [spec, jobTemplate, spec, template, spec, serviceAccount] + - [spec, jobTemplate, spec, template, spec, terminationGracePeriodSeconds] + - [spec, scchedule] + - [spec, successfulJobsHistoryLimit] + - [spec, suspend] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: batch/v1, kind: CronJob } + - paths: + - [spec, backoffLimit] + - [spec, completionMode] + - [spec, completions] + - [spec, manualSelector] + - [spec, parallelism] + - [spec, podReplacementPolicy] + - [spec, selector] + - [spec, suspend] + - [spec, template, metadata, creationTimestamp] + - [spec, template, metadata, labels, "batch.kubernetes.io/controller-uid"] + - [spec, template, metadata, labels, "batch.kubernetes.io/job-name"] + - [spec, template, metadata, labels, "controller-uid"] + - [spec, template, metadata, labels, "job-name"] + - [spec, template, spec, containers, { allIndexes: true }, imagePullPolicy] + - [spec, template, spec, containers, { allIndexes: true }, resources] + - [ + spec, + template, + spec, + containers, + { allIndexes: true }, + terminationMessagePath, + ] + - [ + spec, + template, + spec, + containers, + { allIndexes: true }, + terminationMessagePolicy, + ] + - [spec, template, spec, securityContext] + - [spec, template, spec, dnsPolicy] + - [spec, template, spec, restartPolicy] + - [spec, template, spec, schedulerName] + - [spec, template, spec, serviceAccount] + - [spec, template, spec, terminationGracePeriodSeconds] + - [spec, scchedule] + - [spec, successfulJobsHistoryLimit] + - [spec, suspend] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: batch/v1, kind: Job } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-kyverno.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-kyverno.yaml new file mode 100644 index 000000000..be0e10bd8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-kyverno.yaml @@ -0,0 +1,10 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - path: [spec, conversion, strategy] + type: copy + sources: [new, existing] + resourceMatchers: + - kindNamespaceNameMatcher: + { kind: CustomResourceDefinition, name: clusterpolicies.kyverno.io } + - kindNamespaceNameMatcher: { kind: CustomResourceDefinition, name: policies.kyverno.io } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-ns.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-ns.yaml new file mode 100644 index 000000000..6cd2e084f --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-ns.yaml @@ -0,0 +1,8 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - path: [metadata, labels, "kubernetes.io/metadata.name"] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: v1, kind: Namespace } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-secrets.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-secrets.yaml new file mode 100644 index 000000000..2d4113be7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-secrets.yaml @@ -0,0 +1,23 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [type] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: v1, kind: Secret } + # - paths: + # - [data] + # - [metadata,annotations,"kubernetes.io/service-account.uid"] + # - [metadata,annotations,"kubernetes.io/service-account.name"] + # - [type] + # type: copy + # sources: [existing, new] + # resourceMatchers: + # - andMatcher: + # matchers: + # - apiVersionKindMatcher: { apiVersion: v1, kind: Secret } + # - hasAnnotationMatcher: + # keys: + # - "kubernetes.io/service-account.name" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-services.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-services.yaml new file mode 100644 index 000000000..d1815f992 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-services.yaml @@ -0,0 +1,22 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [spec, selector, "kapp.k14s.io/app"] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: v1, kind: Service } + - paths: + - [spec, type] + - [spec, clusterIPs] + - [spec, internalTrafficPolicy] + - [spec, ipFamilies] + - [spec, ipFamilyPolicy] + - [spec, sessionAffinity] + - [spec, allocateLoadBalancerNodePorts] + - [spec, ports] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: { apiVersion: v1, kind: Service } diff --git a/carvel-packages/installer/bundle/config/kapp/kapp-config-webhooks.yaml b/carvel-packages/installer/bundle/config/kapp/kapp-config-webhooks.yaml new file mode 100644 index 000000000..94dcaec73 --- /dev/null +++ b/carvel-packages/installer/bundle/config/kapp/kapp-config-webhooks.yaml @@ -0,0 +1,16 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: + - paths: + - [webhooks, { allIndexes: true }, clientConfig, service] + - [webhooks, { allIndexes: true }, namespaceSelector] + - [webhooks, { allIndexes: true }, objectSelector] + - [webhooks, { allIndexes: true }, reinvocationPolicy] + - [webhooks, { allIndexes: true }, rules] + type: copy + sources: [existing, new] + resourceMatchers: + - apiVersionKindMatcher: + { apiVersion: admissionregistration.k8s.io/v1, kind: ValidatingWebhookConfiguration } + - apiVersionKindMatcher: + { apiVersion: admissionregistration.k8s.io/v1, kind: MutatingWebhookConfiguration } diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/functions.star new file mode 100644 index 000000000..ba82a2e8c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/functions.star @@ -0,0 +1,17 @@ +load("@ytt:struct", "struct") + +def removeNulls(data): + # Iterate over a struct of scalar values and return only those where value is not null + filtered_data = {} + for key in struct.decode(data): + value = getattr(data, key, None) + if type(value) == "struct": + value = removeNulls(value) + end + if value: #! This means that value is not an empty string, dict, struct, ... + filtered_data[key] = value + end + end + return struct.encode(filtered_data) +end + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/save-config-overlay.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/save-config-overlay.yaml new file mode 100644 index 000000000..c463a20cc --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/config/save-config-overlay.yaml @@ -0,0 +1,22 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("@ytt:yaml", "yaml") +#@ load("functions.star", "removeNulls") + +#! We create educates namespace in case educates package is not enabled +#@ if/end not data.values.values.clusterPackages.educates.enabled: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: educates + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: educates-config + namespace: educates +data: + config.yaml: #@ yaml.encode(removeNulls(data.values.config)) + values.yaml: #@ yaml.encode(data.values.values) diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..221ebf2c1 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/10-default-settings-for-provider.yaml @@ -0,0 +1,31 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") + +#! This file contains default values for the custom infrastructure provider. +#! These are the values that will be set if not overridden by the user. + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: {} + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: {} + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: {} + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: {} + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml new file mode 100644 index 000000000..0a383ee3e --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): + enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml new file mode 100644 index 000000000..59fdcb488 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#! #@overlay/match-child-defaults missing_ok=True +#! clusterPackages: +#! educates: +#! settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml new file mode 100644 index 000000000..27247f982 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/90-overlays.yaml @@ -0,0 +1,26 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "settings"): + settings: #@ data.values.clusterPackages.contour.settings + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "settings"): + settings: #@ data.values.clusterPackages["cert-manager"].settings + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "settings"): + settings: #@ data.values.clusterPackages["external-dns"].settings + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "settings"): + settings: #@ data.values.clusterPackages.certs.settings + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "settings"): + settings: #@ data.values.clusterPackages.kyverno.settings + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "settings"): + settings: #@ data.values.clusterPackages["kapp-controller"].settings + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages["educates"], "settings"): + settings: #@ data.values.clusterPackages["educates"].settings diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml new file mode 100644 index 000000000..30db2e394 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + educates: + #@ if/end isClusterPackageExplicitDisabled("educates"): + #@overlay/replace + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md new file mode 100644 index 000000000..03a048463 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/README.md @@ -0,0 +1,5 @@ +# Custom +For custom we only accept the clusterPackages configuration. +All the other configuration will be discarded. +There's no default configuration being applied. +Whatever main config is provided it will be discarded \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star new file mode 100644 index 000000000..296e59248 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/defaults.star @@ -0,0 +1,4 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml new file mode 100644 index 000000000..3cba7762a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/educates.lib.yaml @@ -0,0 +1,174 @@ +#@ load("@ytt:data", "data") + +#! TODO: Customize certs name reference in eks +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star new file mode 100644 index 000000000..6a078759f --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/custom/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..81adfc85d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/10-default-settings-for-provider.yaml @@ -0,0 +1,71 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:assert", "assert") +#@ load("functions.star", "isClusterPackageEnableByDefault", "xgetattr") + +#@ (hasIrsaRoleExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["external-dns"]) > 0) +#@ if hasIrsaRoleExternalDns: +#@ externalDnsIrsaRole = data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["external-dns"] +#@ else: +#@ fail("external-dns is enabled and can not be configured. Missing irsaRole") +#@ end + +#@ (hasIrsaRoleCertManager, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["cert-manager"]) > 0) +#@ if hasIrsaRoleCertManager: +#@ certManagerIrsaRole = data.values["clusterInfrastructure"]["aws"]["irsaRoles"]["cert-manager"] +#@ else: +#@ fail("cert-manager is enabled and can not be configured. Missing irsaRole") +#@ end + + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - "HTTP/1.1" + service: + type: LoadBalancer + externaldns: + domains: + - #@ data.values.clusterIngress.domain + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: #@ certManagerIrsaRole + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: #@ externalDnsIrsaRole + aws: + args: + domain_filter: #@ data.values.clusterInfrastructure.aws.route53.hostedZone if hasattr(data.values.clusterInfrastructure.aws.route53, "hostedZone") else data.values.clusterIngress.domain + txt_owner_id: "educates" + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: + certProvider: acme-aws + domains: + - #@ data.values.clusterIngress.domain + acme: + aws: + certs: + region: #@ data.values.clusterInfrastructure.aws.region + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml new file mode 100644 index 000000000..43314cca6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/12-overlays.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml new file mode 100644 index 000000000..0a383ee3e --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): + enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml new file mode 100644 index 000000000..1afda1acb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml new file mode 100644 index 000000000..25b8297c8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/README.md new file mode 100644 index 000000000..a684b3aec --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/README.md @@ -0,0 +1,3 @@ +# EKS +For EKS we only allow the opinionated configuration for the packages, so, not settings are allowed +although enabling/disabling the package is allowed at users' risk. \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star new file mode 100644 index 000000000..6b9484322 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/defaults.star @@ -0,0 +1,10 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "cert-manager", + "contour", + "external-dns", + "certs", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml new file mode 100644 index 000000000..3cba7762a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/educates.lib.yaml @@ -0,0 +1,174 @@ +#@ load("@ytt:data", "data") + +#! TODO: Customize certs name reference in eks +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star new file mode 100644 index 000000000..2c5b8bf26 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/eks/functions.star @@ -0,0 +1,35 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..221ebf2c1 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/10-default-settings-for-provider.yaml @@ -0,0 +1,31 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") + +#! This file contains default values for the custom infrastructure provider. +#! These are the values that will be set if not overridden by the user. + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: {} + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: {} + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: {} + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: {} + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml new file mode 100644 index 000000000..8d4b7d343 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/50-packages-enablement.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml new file mode 100644 index 000000000..1afda1acb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml new file mode 100644 index 000000000..25b8297c8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md new file mode 100644 index 000000000..d439c6d28 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/README.md @@ -0,0 +1,4 @@ +# vcluster +By default, only kyverno and educates will be installed +We only allow to enabling/disabling kyverno +We copy all educates main config to the clusterPackage diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star new file mode 100644 index 000000000..e0e228579 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/defaults.star @@ -0,0 +1,6 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml new file mode 100644 index 000000000..b721fccf0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/educates.lib.yaml @@ -0,0 +1,173 @@ +#@ load("@ytt:data", "data") + +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star new file mode 100644 index 000000000..6a078759f --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/generic/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..d71e02bd0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/10-default-settings-for-provider.yaml @@ -0,0 +1,71 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:assert", "assert") +#@ load("functions.star", "isClusterPackageEnableByDefault", "xgetattr") + +#@ (hasWorkloadIdentityExternalDns, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["external-dns"]) > 0) +#@ if hasWorkloadIdentityExternalDns: +#@ externalDnsWorkloadIdentity = data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["external-dns"] +#@ else: +#@ fail("external-dns is enabled and can not be configured. Missing WorkloadIdentity") +#@ end + +#@ (hasWorkloadIdentityCertManager, _) = assert.try_to(lambda: len(data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["cert-manager"]) > 0) +#@ if hasWorkloadIdentityCertManager: +#@ certManagerWorkloadIdentity = data.values["clusterInfrastructure"]["gcp"]["workloadIdentity"]["cert-manager"] +#@ else: +#@ fail("cert-manager is enabled and can not be configured. Missing workloadIdentity") +#@ end + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - "HTTP/1.1" + service: + type: LoadBalancer + externaldns: + domains: + - #@ data.values.clusterIngress.domain + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: #@ certManagerWorkloadIdentity + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: #@ externalDnsWorkloadIdentity + gcp: + args: + project: #@ data.values.clusterInfrastructure.gcp.project + domain_filter: #@ data.values.clusterInfrastructure.gcp.cloudDNS.zone if hasattr(data.values.clusterInfrastructure.gcp.cloudDNS, "zone") else data.values.clusterIngress.domain + txt_owner_id: "educates" + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: + certProvider: acme-gcp + domains: + - #@ data.values.clusterIngress.domain + acme: + gcp: + project: #@ data.values.clusterInfrastructure.gcp.project + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml new file mode 100644 index 000000000..43314cca6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/12-overlays.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:overlay", "overlay") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml new file mode 100644 index 000000000..0a383ee3e --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): + enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml new file mode 100644 index 000000000..1afda1acb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml new file mode 100644 index 000000000..25b8297c8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/README.md new file mode 100644 index 000000000..33b182298 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/README.md @@ -0,0 +1,3 @@ +# GKE +For GKE we only allow the opinionated configuration for the packages, so, not settings are allowed +although enabling/disabling the package is allowed at users' risk. \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star new file mode 100644 index 000000000..6b9484322 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/defaults.star @@ -0,0 +1,10 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "cert-manager", + "contour", + "external-dns", + "certs", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml new file mode 100644 index 000000000..3cba7762a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/educates.lib.yaml @@ -0,0 +1,174 @@ +#@ load("@ytt:data", "data") + +#! TODO: Customize certs name reference in eks +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star new file mode 100644 index 000000000..2c5b8bf26 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/gke/functions.star @@ -0,0 +1,35 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..0c03d83c2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/10-default-settings-for-provider.yaml @@ -0,0 +1,41 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "xgetattr", "isClusterPackageEnableByDefault") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This file contains default values for the custom infrastructure provider. +#! These are the values that will be set if not overridden by the user. + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - "HTTP/1.1" + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: {} + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: {} + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: {} + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: #@ xgetattr(data.values, "clusterPackages.educates.settings") diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml new file mode 100644 index 000000000..0a383ee3e --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): + enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml new file mode 100644 index 000000000..c140d8f3b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/80-remove-settings-disabled.yaml @@ -0,0 +1,32 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml new file mode 100644 index 000000000..1afda1acb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/89-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml new file mode 100644 index 000000000..68ef912cb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/90-overlays.yaml @@ -0,0 +1,35 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:assert", "assert") +#@ load("/functions.star", "isGlobalCaCertificateRefEnabled") + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: +#@ if isGlobalCaCertificateRefEnabled(): + cert-manager: + enabled: true + settings: + clusterResourceNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace + certs: + enabled: true + settings: + domains: + - #@ data.values.clusterIngress.domain + certProvider: "local" #! TODO: This can be provided (provides the wildcard) or local (for rootCA) + local: + caCertificateRef: + name: #@ data.values.clusterInfrastructure.caCertificateRef.name + namespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace + wildcardCertificateNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace + certmanagerClusterResourceNamespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace + educates: + enabled: true + settings: + clusterIngress: + caCertificateRef: + namespace: #@ data.values.clusterInfrastructure.caCertificateRef.namespace + name: #@ data.values.clusterInfrastructure.caCertificateRef.name + #! NOTE: Nodes Operating System must be based of Debian in order to allow NodeInjector + caNodeInjector: + enabled: true +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml new file mode 100644 index 000000000..4c013ef93 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/95-remove-educates-settings-disabled.yaml @@ -0,0 +1,12 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + #@ if/end isClusterPackageExplicitDisabled("educates"): + #@overlay/replace + settings: {} \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/README.md new file mode 100644 index 000000000..0efd3905c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/README.md @@ -0,0 +1,3 @@ +# Kind +For Kind we only allow the opinionated configuration for the packages, so, not settings are allowed +although enabling/disabling the package is allowed at users' risk. \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star new file mode 100644 index 000000000..84dc02e44 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/defaults.star @@ -0,0 +1,7 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "contour", + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml new file mode 100644 index 000000000..2bfa409a8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/educates.lib.yaml @@ -0,0 +1,172 @@ +#@ load("@ytt:data", "data") + +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.tlsCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star new file mode 100644 index 000000000..774574200 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/kind/functions.star @@ -0,0 +1,55 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end + +def isGlobalCaCertificateRefEnabled(): + return (hasattr(data.values.clusterInfrastructure, "caCertificateRef") and + hasattr(data.values.clusterInfrastructure.caCertificateRef, "namespace") and + hasattr(data.values.clusterInfrastructure.caCertificateRef, "name")) +end + +def isEducatesTLSCertRefEnabled(): + return (hasattr(data.values.clusterPackages.educates.settings, "clusterIngress") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress, "tlsCertificateRef") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress.tlsCertificateRef, "namespace") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress.tlsCertificateRef, "name")) +end + +def isEducatesCARefEnabled(): + return (hasattr(data.values.clusterPackages.educates.settings, "clusterIngress") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress, "caCertificateRef") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress.caCertificateRef, "namespace") and + hasattr(data.values.clusterPackages.educates.settings.clusterIngress.caCertificateRef, "name")) +end + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml new file mode 100644 index 000000000..c64d2fda6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/00-remove-toplevel-values.yaml @@ -0,0 +1,48 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/remove +debug: + +#@overlay/remove +localKindCluster: +#@overlay/remove +localDNSResolver: + +#@overlay/remove +clusterInfrastructure: + +#@overlay/remove +imageRegistry: +#@overlay/remove +version: +#@overlay/remove +imageVersions: +#@overlay/remove +clusterRuntime: +#@overlay/remove +clusterIngress: +#@overlay/remove +sessionCookies: +#@overlay/remove +clusterStorage: +#@overlay/remove +clusterSecrets: +#@overlay/remove +clusterSecurity: +#@overlay/remove +workshopSecurity: +#@overlay/remove +trainingPortal: +#@overlay/remove +dockerDaemon: +#@overlay/remove +clusterNetwork: +#@overlay/remove +workshopAnalytics: +#@overlay/remove +websiteStyling: +#@overlay/remove +imagePuller: +#@overlay/remove +lookupService: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml new file mode 100644 index 000000000..221ebf2c1 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/10-default-settings-for-provider.yaml @@ -0,0 +1,31 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageEnableByDefault") + +#! This file contains default values for the custom infrastructure provider. +#! These are the values that will be set if not overridden by the user. + +#@overlay/match-child-defaults missing_ok=True +#@overlay/replace +clusterPackages: + contour: + enabled: #@ isClusterPackageEnableByDefault("contour") + settings: {} + cert-manager: + enabled: #@ isClusterPackageEnableByDefault("cert-manager") + settings: {} + external-dns: + enabled: #@ isClusterPackageEnableByDefault("external-dns") + settings: {} + certs: + enabled: #@ isClusterPackageEnableByDefault("certs") + settings: {} + kyverno: + enabled: #@ isClusterPackageEnableByDefault("kyverno") + settings: {} + kapp-controller: + enabled: #@ isClusterPackageEnableByDefault("kapp-controller") + settings: {} + educates: + enabled: #@ isClusterPackageEnableByDefault("educates") + settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml new file mode 100644 index 000000000..2080d7d4d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/50-packages-enablement.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This enables packages based on the user input + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: +#! contour: +#! #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "contour") and hasattr(data.values.clusterPackages.contour, "enabled"): +#! enabled: #@ data.values.clusterPackages.contour.enabled + cert-manager: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "cert-manager") and hasattr(data.values.clusterPackages["cert-manager"], "enabled"): + enabled: #@ data.values.clusterPackages["cert-manager"].enabled + external-dns: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "external-dns") and hasattr(data.values.clusterPackages["external-dns"], "enabled"): + enabled: #@ data.values.clusterPackages["external-dns"].enabled + certs: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "certs") and hasattr(data.values.clusterPackages.certs, "enabled"): + enabled: #@ data.values.clusterPackages.certs.enabled + kyverno: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kyverno") and hasattr(data.values.clusterPackages.kyverno, "enabled"): + enabled: #@ data.values.clusterPackages.kyverno.enabled + kapp-controller: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "kapp-controller") and hasattr(data.values.clusterPackages["kapp-controller"], "enabled"): + enabled: #@ data.values.clusterPackages["kapp-controller"].enabled + educates: + #@ if/end hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, "educates") and hasattr(data.values.clusterPackages.educates, "enabled"): + enabled: #@ data.values.clusterPackages.educates.enabled diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml new file mode 100644 index 000000000..1afda1acb --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/80-copy-educates-config.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("educates.lib.yaml", "copy_all_educates_values") + +#! This copies user provided values for the custom infrastructure provider. + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: #@ copy_all_educates_values() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/90-overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/90-overlays.yaml new file mode 100644 index 000000000..121477b68 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/90-overlays.yaml @@ -0,0 +1,16 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#! This file is used to set the default values for the vcluster installation +#! Add to this file all the defaults that you don't want to be overidden by the user +#! These values will override all the values provided by the user either in the global configuration +#! or the clusterPackages.educates configuration + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + educates: + settings: + imagePuller: + enabled: false + #@overlay/replace + prePullImages: [] diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml new file mode 100644 index 000000000..25b8297c8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/99-remove-settings-disabled.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "isClusterPackageExplicitDisabled") + +#! This removes settings for disabled packages + +#@overlay/match-child-defaults missing_ok=True +clusterPackages: + contour: + #@ if/end isClusterPackageExplicitDisabled("contour"): + #@overlay/replace + settings: {} + cert-manager: + #@ if/end isClusterPackageExplicitDisabled("cert-manager"): + #@overlay/replace + settings: {} + external-dns: + #@ if/end isClusterPackageExplicitDisabled("external-dns"): + #@overlay/replace + settings: {} + certs: + #@ if/end isClusterPackageExplicitDisabled("certs"): + #@overlay/replace + settings: {} + kyverno: + #@ if/end isClusterPackageExplicitDisabled("kyverno"): + #@overlay/replace + settings: {} + kapp-controller: + #@ if/end isClusterPackageExplicitDisabled("kapp-controller"): + #@overlay/replace + settings: {} + #! educates: + #! #@ if/end isClusterPackageExplicitDisabled("educates"): + #! #@overlay/replace + #! settings: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md new file mode 100644 index 000000000..360ccfe91 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/README.md @@ -0,0 +1,6 @@ +# generic +By default, only kyverno and educates will be installed +We only allow to enabling/disabling packages at users' risk (except for contour and lookup-service) +No configuration is provided for these packages. + +TODO: Revisit the configuration for some of the packages. Should we allow for enabling external-dns, certs,...? \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star new file mode 100644 index 000000000..8d7aa8e01 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/defaults.star @@ -0,0 +1,6 @@ +load("@ytt:data", "data") + +enabledByDefaultPackagesList = [ + "kyverno", + "educates" +] \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml new file mode 100644 index 000000000..b721fccf0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/educates.lib.yaml @@ -0,0 +1,173 @@ +#@ load("@ytt:data", "data") + +#@ def copy_all_educates_values(): + +#@ if/end hasattr(data.values, "imageRegistry") and data.values.imageRegistry != None: +imageRegistry: + #@ if/end hasattr(data.values.imageRegistry, "namespace") and data.values.imageRegistry.namespace != None: + namespace: #@ data.values.imageRegistry.namespace + #@ if/end hasattr(data.values.imageRegistry, "host") and data.values.imageRegistry.host != None: + host: #@ data.values.imageRegistry.host +#@ if/end hasattr(data.values, "version") and data.values.version != None: +version: #@ data.values.version +#@ if/end hasattr(data.values, "imageVersions") and data.values.imageVersions != None: +imageVersions: #@ data.values.imageVersions +#@ if/end hasattr(data.values, "clusterRuntime") and data.values.clusterRuntime != None: +clusterRuntime: #@ data.values.clusterRuntime +#@ if/end hasattr(data.values, "clusterIngress") and data.values.clusterIngress != None: +clusterIngress: + #@ if/end hasattr(data.values.clusterIngress, "domain") and data.values.clusterIngress.domain != None: + domain: #@ data.values.clusterIngress.domain + #@ if/end hasattr(data.values.clusterIngress, "class") and data.values.clusterIngress["class"] != None: + class: #@ data.values.clusterIngress["class"] + #@ if/end hasattr(data.values.clusterIngress, "protocol") and data.values.clusterIngress.protocol != None: + protocol: #@ data.values.clusterIngress.protocol + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificate") and data.values.clusterIngress.tlsCertificate != None: + tlsCertificate: + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.crt") and data.values.clusterIngress.tlsCertificate["tls.crt"] != None: + tls.crt: #@ data.values.clusterIngress.tlsCertificate["tls.crt"] + #@ if/end hasattr(data.values.clusterIngress.tlsCertificate, "tls.key") and data.values.clusterIngress.tlsCertificate["tls.key"] != None: + tls.key: #@ data.values.clusterIngress.tlsCertificate["tls.key"] + #! TODO: Customize certs name reference in eks + #! projectcontour/wildcard + #@ if/end hasattr(data.values.clusterIngress, "tlsCertificateRef") and data.values.clusterIngress.tlsCertificateRef != None: + tlsCertificateRef: + namespace: #@ (hasattr(data.values.clusterIngress.tlsCertificateRef, "namespace") and data.values.clusterIngress.tlsCertificateRef.namespace != None) and data.values.clusterIngress.tlsCertificateRef.namespace or "projectcontour" + #@ if/end hasattr(data.values.clusterIngress.tlsCertificateRef, "name") and data.values.clusterIngress.tlsCertificateRef.name != None: + name: #@ data.values.clusterIngress.tlsCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caCertificate") and data.values.clusterIngress.caCertificate != None: + caCertificate: #@ data.values.clusterIngress.caCertificate + #@ if/end hasattr(data.values.clusterIngress, "caCertificateRef") and data.values.clusterIngress.caCertificateRef != None: + caCertificateRef: + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "namespace") and data.values.clusterIngress.caCertificateRef.namespace != None: + namespace: #@ data.values.clusterIngress.caCertificateRef.namespace + #@ if/end hasattr(data.values.clusterIngress.caCertificateRef, "name") and data.values.clusterIngress.caCertificateRef.name != None: + name: #@ data.values.clusterIngress.caCertificateRef.name + #@ if/end hasattr(data.values.clusterIngress, "caNodeInjector") and data.values.clusterIngress.caNodeInjector != None: + caNodeInjector: #@ data.values.clusterIngress.caNodeInjector +#@ if/end hasattr(data.values, "sessionCookies") and data.values.sessionCookies != None: +sessionCookies: #@ data.values.sessionCookies +#@ if/end hasattr(data.values, "clusterStorage") and data.values.clusterStorage != None: +clusterStorage: + #@ if/end hasattr(data.values.clusterStorage, "class") and data.values.clusterStorage["class"] != None: + class: #@ data.values.clusterStorage["class"] + #@ if/end hasattr(data.values.clusterStorage, "user") and data.values.clusterStorage.user != None: + user: #@ data.values.clusterStorage.user + #@ if/end hasattr(data.values.clusterStorage, "group") and data.values.clusterStorage.group != None: + group: #@ data.values.clusterStorage.group +#@ if/end hasattr(data.values, "clusterSecrets") and data.values.clusterSecrets != None: +clusterSecrets: #@ data.values.clusterSecrets +#@ if/end hasattr(data.values, "clusterSecurity") and data.values.clusterSecurity != None: +clusterSecurity: #@ data.values.clusterSecurity +#@ if/end hasattr(data.values, "workshopSecurity") and data.values.workshopSecurity != None: +workshopSecurity: #@ data.values.workshopSecurity +#@ if/end hasattr(data.values, "trainingPortal") and data.values.trainingPortal != None: +trainingPortal: + #@ if/end hasattr(data.values.trainingPortal, "credentials") and data.values.trainingPortal.credentials != None: + credentials: + #@ if/end hasattr(data.values.trainingPortal.credentials, "admin") and data.values.trainingPortal.credentials.admin != None: + admin: + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "username") and data.values.trainingPortal.credentials.admin.username != None: + username: #@ data.values.trainingPortal.credentials.admin.username + #@ if/end hasattr(data.values.trainingPortal.credentials.admin, "password") and data.values.trainingPortal.credentials.admin.password != None: + password: #@ data.values.trainingPortal.credentials.admin.password + #@ if/end hasattr(data.values.trainingPortal.credentials, "robot") and data.values.trainingPortal.credentials.admin != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "username") and data.values.trainingPortal.credentials.robot.username != None: + username: #@ data.values.trainingPortal.credentials.robot.username + #@ if/end hasattr(data.values.trainingPortal.credentials.robot, "password") and data.values.trainingPortal.credentials.robot.password != None: + password: #@ data.values.trainingPortal.credentials.robot.password + #@ if/end hasattr(data.values.trainingPortal, "clients") and data.values.trainingPortal.clients != None: + clients: + #@ if/end hasattr(data.values.trainingPortal.clients, "robot") and data.values.trainingPortal.clients.robot != None: + robot: + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "id") and data.values.trainingPortal.clients.robot.id != None: + id: #@ data.values.trainingPortal.clients.robot.id + #@ if/end hasattr(data.values.trainingPortal.clients.robot, "secret") and data.values.trainingPortal.clients.robot.secret != None: + secret: #@ data.values.trainingPortal.clients.robot.secret +#@ if/end hasattr(data.values, "dockerDaemon") and data.values.dockerDaemon != None: +dockerDaemon: + #@ if/end hasattr(data.values.dockerDaemon, "networkMTU") and data.values.dockerDaemon.networkMTU != None: + networkMTU: #@ data.values.dockerDaemon.networkMTU + #@ if/end hasattr(data.values.dockerDaemon, "proxyCache") and data.values.dockerDaemon.proxyCache != None: + proxyCache: + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "remoteURL") and data.values.dockerDaemon.proxyCache.remoteURL != None: + remoteURL: #@ data.values.dockerDaemon.proxyCache.remoteURL + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "username") and data.values.dockerDaemon.proxyCache.username != None: + username: #@ data.values.dockerDaemon.proxyCache.username + #@ if/end hasattr(data.values.dockerDaemon.proxyCache, "password") and data.values.dockerDaemon.proxyCache.password != None: + password: #@ data.values.dockerDaemon.proxyCache.password +#@ if/end hasattr(data.values, "clusterNetwork") and data.values.clusterNetwork != None: +clusterNetwork: #@ data.values.clusterNetwork +#@ if/end hasattr(data.values, "workshopAnalytics") and data.values.workshopAnalytics != None: +workshopAnalytics: + #@ if/end hasattr(data.values.workshopAnalytics, "google") and data.values.workshopAnalytics.google != None: + google: + #@ if/end hasattr(data.values.workshopAnalytics.google, "trackingId") and data.values.workshopAnalytics.google.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.google.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "clarity") and data.values.workshopAnalytics.clarity != None: + clarity: + #@ if/end hasattr(data.values.workshopAnalytics.clarity, "trackingId") and data.values.workshopAnalytics.clarity.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.clarity.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "amplitude") and data.values.workshopAnalytics.amplitude != None: + amplitude: + #@ if/end hasattr(data.values.workshopAnalytics.amplitude, "trackingId") and data.values.workshopAnalytics.amplitude.trackingId != None: + trackingId: #@ data.values.workshopAnalytics.amplitude.trackingId + #@ if/end hasattr(data.values.workshopAnalytics, "webhook") and data.values.workshopAnalytics.webhook != None: + webhook: + #@ if/end hasattr(data.values.workshopAnalytics.webhook, "url") and data.values.workshopAnalytics.webhook.url != None: + url: #@ data.values.workshopAnalytics.webhook.url +#@ if/end hasattr(data.values, "websiteStyling") and data.values.websiteStyling != None: +websiteStyling: + #@ if/end hasattr(data.values.websiteStyling, "workshopDashboard") and data.values.websiteStyling.workshopDashboard != None: + workshopDashboard: + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "html") and data.values.websiteStyling.workshopDashboard.html != None: + html: #@ data.values.websiteStyling.workshopDashboard.html + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "script") and data.values.websiteStyling.workshopDashboard.script != None: + script: #@ data.values.websiteStyling.workshopDashboard.script + #@ if/end hasattr(data.values.websiteStyling.workshopDashboard, "style") and data.values.websiteStyling.workshopDashboard.style != None: + style: #@ data.values.websiteStyling.workshopDashboard.style + #@ if/end hasattr(data.values.websiteStyling, "workshopInstructions") and data.values.websiteStyling.workshopInstructions != None: + workshopInstructions: + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "html") and data.values.websiteStyling.workshopInstructions.html != None: + html: #@ data.values.websiteStyling.workshopInstructions.html + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "script") and data.values.websiteStyling.workshopInstructions.script != None: + script: #@ data.values.websiteStyling.workshopInstructions.script + #@ if/end hasattr(data.values.websiteStyling.workshopInstructions, "style") and data.values.websiteStyling.workshopInstructions.style != None: + style: #@ data.values.websiteStyling.workshopInstructions.style + #@ if/end hasattr(data.values.websiteStyling, "workshopStarted") and data.values.websiteStyling.workshopStarted != None: + workshopStarted: + #@ if/end hasattr(data.values.websiteStyling.workshopStarted, "html") and data.values.websiteStyling.workshopStarted.html != None: + html: #@ data.values.websiteStyling.workshopStarted.html + #@ if/end hasattr(data.values.websiteStyling, "workshopFinished") and data.values.websiteStyling.workshopFinished != None: + workshopFinished: + #@ if/end hasattr(data.values.websiteStyling.workshopFinished, "html") and data.values.websiteStyling.workshopFinished.html != None: + html: #@ data.values.websiteStyling.workshopFinished.html + #@ if/end hasattr(data.values.websiteStyling, "trainingPortal") and data.values.websiteStyling.trainingPortal != None: + trainingPortal: + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "html") and data.values.websiteStyling.trainingPortal.html != None: + html: #@ data.values.websiteStyling.trainingPortal.html + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "script") and data.values.websiteStyling.trainingPortal.script != None: + script: #@ data.values.websiteStyling.trainingPortal.script + #@ if/end hasattr(data.values.websiteStyling.trainingPortal, "style") and data.values.websiteStyling.trainingPortal.style != None: + style: #@ data.values.websiteStyling.trainingPortal.style + #@ if/end hasattr(data.values.websiteStyling, "defaultTheme") and data.values.websiteStyling.defaultTheme != None: + defaultTheme: #@ data.values.websiteStyling.defaultTheme + #@ if/end hasattr(data.values.websiteStyling, "themeDataRefs") and data.values.websiteStyling.themeDataRefs != None: + themeDataRefs: #@ data.values.websiteStyling.themeDataRefs + #@ if/end hasattr(data.values.websiteStyling, "frameAncestors") and data.values.websiteStyling.frameAncestors != None: + frameAncestors: #@ data.values.websiteStyling.frameAncestors +#@ if/end hasattr(data.values, "imagePuller") and data.values.imagePuller != None: +imagePuller: + enabled: #@ data.values.imagePuller.enabled + #@ if hasattr(data.values.imagePuller, "prePullImages") and data.values.imagePuller.prePullImages != None: + #@overlay/replace + prePullImages: #@ data.values.imagePuller.prePullImages + #@ end +#@ if/end hasattr(data.values, "lookupService") and data.values.lookupService != None: +lookupService: + #@ if/end hasattr(data.values.lookupService, "enabled") and data.values.lookupService.enabled != None: + enabled: #@ data.values.lookupService.enabled + #@ if/end hasattr(data.values.lookupService, "ingressPrefix") and data.values.lookupService.ingressPrefix != None: + ingressPrefix: #@ data.values.lookupService.ingressPrefix +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star new file mode 100644 index 000000000..6a078759f --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/infrastructure/vcluster/functions.star @@ -0,0 +1,18 @@ +load("@ytt:data", "data") +load("defaults.star", "enabledByDefaultPackagesList") + +def isClusterPackageEnableByDefault(package): + return package in enabledByDefaultPackagesList +end + +def isClusterPackageEnabled(package): + if hasattr(data.values, "clusterPackages") and hasattr(data.values.clusterPackages, package) and hasattr(data.values.clusterPackages[package], "enabled"): + return data.values.clusterPackages[package].enabled + else: + return package in enabledByDefaultPackagesList + end +end + +def isClusterPackageExplicitDisabled(package): + return not isClusterPackageEnabled(package) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/.gitkeep b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/functions.star new file mode 100644 index 000000000..7a24277f5 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/functions.star @@ -0,0 +1,14 @@ +load("@ytt:data", "data") +load("@ytt:struct", "struct") + +def get_serviceaccount_annotations(): + annotations = {} + + if data.values.serviceaccount.annotations: + annotations_kvs = struct.decode(data.values.serviceaccount.annotations) + annotations.update(annotations_kvs) + end + + return annotations +end + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-annotations.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-annotations.yaml new file mode 100644 index 000000000..d6455c678 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-annotations.yaml @@ -0,0 +1,20 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("functions.star", "get_serviceaccount_annotations") + +#@ if hasattr(data.values, "serviceaccount") and hasattr(data.values.serviceaccount, "annotations") and data.values.serviceaccount.annotations!=None: +#@overlay/match by=overlay.subset({"kind":"ServiceAccount", "metadata": {"name": "cert-manager"}}) +#@overlay/match-child-defaults missing_ok=True +--- +metadata: + annotations: #@ get_serviceaccount_annotations() + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "cert-manager"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + securityContext: + fsGroup: 1001 +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-cluster-resource-namespace.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-cluster-resource-namespace.yaml new file mode 100644 index 000000000..0a1f1e665 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-cluster-resource-namespace.yaml @@ -0,0 +1,14 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "cert-manager"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: cert-manager-controller + args: + #@overlay/match by=lambda i,l,r: l.startswith("--cluster-resource-namespace=") + - #@ "--cluster-resource-namespace={}".format(data.values.clusterResourceNamespace) diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-leader-election-namespace.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-leader-election-namespace.yaml new file mode 100644 index 000000000..bd4e603ba --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-leader-election-namespace.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "cert-manager-cainjector"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: cert-manager-cainjector + args: + #@overlay/match by=lambda i,l,r: l.startswith("--leader-election-namespace=") + - #@ "--leader-election-namespace={}".format(data.values.leaderElectionNamespace) + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "cert-manager"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: cert-manager-controller + args: + #@overlay/match by=lambda i,l,r: l.startswith("--leader-election-namespace=") + - #@ "--leader-election-namespace={}".format(data.values.leaderElectionNamespace) + +#@overlay/match by=overlay.subset({"kind":"Role", "metadata": {"namespace": "kube-system"}}),expects=2 +--- +metadata: + namespace: #@ data.values.leaderElectionNamespace + +#@overlay/match by=overlay.subset({"kind":"RoleBinding", "metadata": {"namespace": "kube-system"}}),expects=2 +--- +metadata: + namespace: #@ data.values.leaderElectionNamespace diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-namespace.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-namespace.yaml new file mode 100644 index 000000000..8605bc05f --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-namespace.yaml @@ -0,0 +1,46 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"Namespace", "metadata": {"name": "cert-manager"}}) +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"metadata": {"namespace": "cert-manager"}}), expects=[10,14] +--- +metadata: + namespace: #@ data.values.namespace + +#@ crb=overlay.subset({"kind":"ClusterRoleBinding"}) +#@ rb=overlay.subset({"kind":"RoleBinding"}) +#@overlay/match by=overlay.or_op(crb, rb), expects=13 +--- +subjects: + #@overlay/match by=overlay.subset({"namespace": "cert-manager"}) + - kind: ServiceAccount + namespace: #@ data.values.namespace + +#@ vwc=overlay.subset({"kind":"ValidatingWebhookConfiguration"}) +#@ mwc=overlay.subset({"kind":"MutatingWebhookConfiguration"}) +#@overlay/match by=overlay.or_op(vwc, mwc), expects=2 +--- +webhooks: + #@overlay/match by="name" + - name: webhook.cert-manager.io + clientConfig: + service: + namespace: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"kind":"MutatingWebhookConfiguration"}) +--- +metadata: + annotations: + cert-manager.io/inject-ca-from-secret: #@ "{}/cert-manager-webhook-ca".format(data.values.namespace) + +#@overlay/match by=overlay.subset({"kind":"ValidatingWebhookConfiguration"}) +--- +metadata: + annotations: + cert-manager.io/inject-ca-from-secret: #@ "{}/cert-manager-webhook-ca".format(data.values.namespace) diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-schema-fixes.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-schema-fixes.yaml new file mode 100644 index 000000000..6a6c72600 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/overlays/overlay-schema-fixes.yaml @@ -0,0 +1,13 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@ b1 = overlay.subset({"kind":"ClusterRoleBinding", "metadata": {"name": "cert-manager-webhook:subjectaccessreviews"}}) +#@ b2 = overlay.subset({"kind":"RoleBinding", "metadata": {"name": "cert-manager:leaderelection"}}) +#@ b3 = overlay.subset({"kind":"RoleBinding", "metadata": {"name": "cert-manager-webhook:dynamic-serving"}}) +#@overlay/match by=overlay.or_op(b1, b2, b3), expects=3 +--- +subjects: + #@overlay/match by=overlay.subset({"apiGroup":""}) + - kind: ServiceAccount + #@overlay/remove + apiGroup: "" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/upstream/cert-manager.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/upstream/cert-manager.yaml new file mode 100644 index 000000000..aa0cf726a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/upstream/cert-manager.yaml @@ -0,0 +1,5837 @@ +# Copyright 2022 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + required: + - issuerRef + - request + properties: + duration: + description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. + type: string + extra: + description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: object + additionalProperties: + type: array + items: + type: string + groups: + description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: array + items: + type: string + x-kubernetes-list-type: atomic + isCA: + description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." + type: boolean + issuerRef: + description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest." + type: string + format: byte + uid: + description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`." + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + username: + description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + status: + description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + ca: + description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: + description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. + type: string + format: byte + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. + type: array + items: + description: CertificateRequestCondition contains condition information for a CertificateRequest. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: + description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components." + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. + type: object + required: + - type + properties: + type: + description: Type is the name of the format type that should be written to the Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM + commonName: + description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set." + type: string + dnsNames: + description: Requested DNS subject alternative names. + type: array + items: + type: string + duration: + description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." + type: string + emailAddresses: + description: Requested email subject alternative names. + type: array + items: + type: string + encodeUsagesInRequest: + description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions." + type: boolean + ipAddresses: + description: Requested IP address subject alternative names. + type: array + items: + type: string + isCA: + description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." + type: boolean + issuerRef: + description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + keystores: + description: Additional keystore output formats to be stored in the Certificate's Secret. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + profile: + description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." + type: string + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 + literalSubject: + description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." + type: string + nameConstraints: + description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components." + type: object + properties: + critical: + description: if true then the name constraints are marked critical. + type: boolean + excluded: + description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + permitted: + description: Permitted contains the constraints in which the names must be located. + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + otherNames: + description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.' + type: array + items: + type: object + properties: + oid: + description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221". + type: string + utf8Value: + description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. + type: string + privateKey: + description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. + type: object + properties: + algorithm: + description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm." + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: + description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified." + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility." + type: string + enum: + - Never + - Always + size: + description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed." + type: integer + renewBefore: + description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." + type: string + revisionHistoryLimit: + description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`." + type: integer + format: int32 + secretName: + description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource. + type: string + secretTemplate: + description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set." + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: Requested URI subject alternative names. + type: array + items: + type: string + usages: + description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`." + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + conditions: + description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. + type: array + items: + description: CertificateCondition contains condition information for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. + type: string + format: date-time + notBefore: + description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid. + type: string + format: date-time + renewalTime: + description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." + type: integer + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + key: + description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' + type: string + solver: + description: Contains the domain solving configuration that should be used to solve this challenge resource. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + type: string + clientSecretSecretRef: + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + token: + description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". + type: string + enum: + - HTTP-01 + - DNS-01 + url: + description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. + type: boolean + status: + type: object + properties: + presented: + description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + served: true + storage: true + subresources: + status: {} +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: "cert-manager" + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + categories: + - cert-manager + scope: Cluster + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + type: string + clientSecretSecretRef: + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceAccountRef: + description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + name: + description: Name of the ServiceAccount used to request a token. + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: "cert-manager" + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + type: string + clientSecretSecretRef: + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceAccountRef: + description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + name: + description: Name of the ServiceAccount used to request a token. + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the Issuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.14.7" +spec: + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - issuerRef + - request + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + duration: + description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. + type: string + format: byte + status: + type: object + properties: + authorizations: + description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. + type: array + items: + description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. + type: object + required: + - url + properties: + challenges: + description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. + type: array + items: + description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL is the URL of the Authorization that must be completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. + type: string + format: byte + failureTime: + description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. + type: string + served: true + storage: true +--- +# Source: cert-manager/templates/cainjector-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: cert-manager-cainjector + namespace: cert-manager + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +--- +# Source: cert-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +--- +# Source: cert-manager/templates/webhook-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: cert-manager-webhook + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update", "patch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update", "patch"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [ "gateway.networking.k8s.io" ] + resources: [ "httproutes" ] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +# Source: cert-manager/templates/rbac.yaml +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways", "httproutes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-cluster-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-edit + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] +--- +# Source: cert-manager/templates/rbac.yaml +# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["signers"] + verbs: ["approve"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] +--- +# Source: cert-manager/templates/rbac.yaml +# Permission to: +# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + verbs: ["sign"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +rules: +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-cainjector +subjects: + - name: cert-manager-cainjector + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-issuers +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-clusterissuers +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificates +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-orders +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-challenges +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-ingress-shim +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-approve:cert-manager-io +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificatesigningrequests +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager-webhook:dynamic-serving + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - 'cert-manager-webhook-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: + - kind: ServiceAccount + name: cert-manager-cainjector + namespace: cert-manager +--- +# Source: cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cert-manager-webhook:dynamic-serving + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-webhook:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager +--- +# Source: cert-manager/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: 9402 + selector: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" +--- +# Source: cert-manager/templates/webhook-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: cert-manager-webhook + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +spec: + type: ClusterIP + ports: + - name: https + port: 443 + protocol: TCP + targetPort: "https" + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" +--- +# Source: cert-manager/templates/cainjector-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-cainjector + namespace: cert-manager + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.7" + spec: + serviceAccountName: cert-manager-cainjector + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v1.14.7" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cert-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + template: + metadata: + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.7" + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-controller + image: "quay.io/jetstack/cert-manager-controller:v1.14.7" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.7 + - --max-concurrent-challenges=60 + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # LivenessProbe settings are based on those used for the Kubernetes + # controller-manager. See: + # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + livenessProbe: + httpGet: + port: http-healthz + path: /livez + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 8 + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cert-manager/templates/webhook-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-webhook + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" + spec: + serviceAccountName: cert-manager-webhook + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-webhook + image: "quay.io/jetstack/cert-manager-webhook:v1.14.7" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca + - --dynamic-serving-dns-names=cert-manager-webhook + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc + + ports: + - name: https + protocol: TCP + containerPort: 10250 + - name: healthcheck + protocol: TCP + containerPort: 6080 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cert-manager/templates/webhook-mutating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + resources: + - "certificaterequests" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /mutate +--- +# Source: cert-manager/templates/webhook-validating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.7" + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: cert-manager.io/disable-validation + operator: NotIn + values: + - "true" + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /validate diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/values-schema.yaml new file mode 100644 index 000000000..048e9b813 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/values-schema.yaml @@ -0,0 +1,13 @@ +#@data/values-schema +--- +#@schema/desc "The namespace in which to deploy cert-manager" +namespace: cert-manager +#@schema/nullable +serviceaccount: + #@schema/desc "Annotations to set on the cert-manager service account. Annotations must be in annotation format, that is, map[string]string" + #@schema/type any=True + annotations: +#@schema/desc "The namespace to use for cluster resources, e.g. Issuer, ClusterIssuer, Certificate, etc. If not set, the namespace will be the same as the cert-manager namespace" +clusterResourceNamespace: cert-manager +#@schema/desc "The namespace to use for leader election. Some infra providers can not use the default kube-system" +leaderElectionNamespace: kube-system diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/cluster-issuer.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/cluster-issuer.yaml new file mode 100644 index 000000000..a3f53ca07 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/cluster-issuer.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: educateswildcard +spec: + selfSigned: {} +#! namespace: By default, a ClusterIssuer will create secrets in cert-manager namespace diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/wildcard-cert.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/wildcard-cert.yaml new file mode 100644 index 000000000..421356a9b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/downstream/wildcard-cert.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: educateswildcard +spec: + secretName: educateswildcard + issuerRef: + name: educateswildcard + kind: ClusterIssuer + dnsNames: + - REPLACE_ME diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/functions.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/functions.star new file mode 100644 index 000000000..a76b5920b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/functions.star @@ -0,0 +1,9 @@ +load("@ytt:data", "data") + +def get_domains(): + domains = [] + for domain in data.values.domains: + domains.append("*.{}".format(domain)) + end + return domains +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-aws.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-aws.yaml new file mode 100644 index 000000000..fd5553819 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-aws.yaml @@ -0,0 +1,66 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:base64", "base64") +#@ load("@ytt:assert", "assert") +#@ load("functions.star", "get_domains") + +#@ if data.values.certProvider=="acme-aws": + +#@ (hasEmail, _) = assert.try_to(lambda: len(data.values.acme.email) > 0) +#@ (hasAwsCredsAccessKey, _) = assert.try_to(lambda: len(data.values.acme.aws.credentials.accessKey) > 0) +#@ (hasAwsCredsSecretKey, _) = assert.try_to(lambda: len(data.values.acme.aws.credentials.secretKey) > 0) +#@ if (hasAwsCredsSecretKey and not hasAwsCredsAccessKey) or (not hasAwsCredsSecretKey and hasAwsCredsAccessKey): +#@ assert.fail("`acme.aws.credentials.accessKey` and `acme.aws.credentials.secretKey` must both be provided") +#@ end + +#@ if hasAwsCredsAccessKey and hasAwsCredsSecretKey: +--- +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-aws-values + namespace: #@ data.values.certmanagerClusterResourceNamespace +type: Opaque +data: + awsAccessKeyID: #@ base64.encode("{}".format(data.values.acme.aws.credentials.accessKey)) + awsSecretAccessKey: #@ base64.encode("{}".format(data.values.acme.aws.credentials.secretKey)) +#@ end + +#@overlay/match by=overlay.subset({"kind":"ClusterIssuer", "metadata": {"name": "educateswildcard"}}) +--- +spec: + #@overlay/remove + selfSigned: + #@overlay/match missing_ok=True + acme: + #@ if/end hasEmail: + email: #@ data.values.acme.email + privateKeySecretRef: + name: educates-wildcard-acme + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + #@overlay/match by=lambda i,l,r: "dns01" in l + - dns01: + route53: + region: #@ data.values.acme.aws.certs.region + #@ if hasAwsCredsAccessKey and hasAwsCredsSecretKey: + accessKeyID: #@ data.values.acme.aws.credentials.accessKey + secretAccessKeySecretRef: + name: cert-manager-aws-values + key: awsSecretAccessKey + #@ end + #@overlay/match by=lambda i,l,r: "http01" in l + - http01: + ingress: + class: #@ data.values.acme.ingressClass + +#@overlay/match by=overlay.subset({"kind":"Certificate", "metadata": {"name": "educateswildcard"}}) +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ data.values.wildcardCertificateNamespace +spec: + #@overlay/replace + dnsNames: #@ get_domains() + +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-gcp.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-gcp.yaml new file mode 100644 index 000000000..a2774034d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-acme-gcp.yaml @@ -0,0 +1,46 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:base64", "base64") +#@ load("@ytt:assert", "assert") +#@ load("functions.star", "get_domains") + +#@ if data.values.certProvider=="acme-gcp": + +#@ (hasEmail, _) = assert.try_to(lambda: len(data.values.acme.email) > 0) +#@ (hasProject, _) = assert.try_to(lambda: len(data.values.acme.gcp.project) > 0) +#@ if (not hasProject): +#@ assert.fail("`acme.gcp.project` must be provided") +#@ end + +#@overlay/match by=overlay.subset({"kind":"ClusterIssuer", "metadata": {"name": "educateswildcard"}}) +--- +spec: + #@overlay/remove + selfSigned: + #@overlay/match missing_ok=True + acme: + #@ if/end hasEmail: + email: #@ data.values.acme.email + privateKeySecretRef: + name: educates-wildcard-acme + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + #@overlay/match by=lambda i,l,r: "dns01" in l + - dns01: + cloudDNS: + project: #@ data.values.acme.gcp.project + #@overlay/match by=lambda i,l,r: "http01" in l + - http01: + ingress: + class: #@ data.values.acme.ingressClass + +#@overlay/match by=overlay.subset({"kind":"Certificate", "metadata": {"name": "educateswildcard"}}) +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ data.values.wildcardCertificateNamespace +spec: + #@overlay/replace + dnsNames: #@ get_domains() + +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-localca.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-localca.yaml new file mode 100644 index 000000000..0550f020d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/overlays/overlay-localca.yaml @@ -0,0 +1,50 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:base64", "base64") +#@ load("functions.star", "get_domains") + +#@ if data.values.certProvider=="local": + +#@ if hasattr(data.values.local, "caCertificate") and data.values.local.caCertificate: +--- +apiVersion: v1 +kind: Secret +metadata: + name: local-root-ca + namespace: #@ data.values.certmanagerClusterResourceNamespace +data: + ca.crt: #@ base64.encode(data.values.local.caCertificate["ca.crt"]) + tls.crt: #@ base64.encode(data.values.local.caCertificate["ca.key"]) + +#@overlay/match by=overlay.subset({"kind":"ClusterIssuer", "metadata": {"name": "educateswildcard"}}) +--- +spec: + #@overlay/remove + selfSigned: + #@overlay/match missing_ok=True + ca: + secretName: local-root-ca + +#@ elif hasattr(data.values.local, "caCertificateRef"): + +#@overlay/match by=overlay.subset({"kind":"ClusterIssuer", "metadata": {"name": "educateswildcard"}}) +--- +spec: + #@overlay/remove + selfSigned: + #@overlay/match missing_ok=True + ca: + secretName: #@ data.values.local.caCertificateRef.name + +#@ end + +#@overlay/match by=overlay.subset({"kind":"Certificate", "metadata": {"name": "educateswildcard"}}) +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ data.values.wildcardCertificateNamespace +spec: + #@overlay/replace + dnsNames: #@ get_domains() + +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/upstream/.gitkeep b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/upstream/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/values-schema.yaml new file mode 100644 index 000000000..7961eebf6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/certs/values-schema.yaml @@ -0,0 +1,64 @@ +#@data/values-schema +#@schema/validation one_not_null=["acme", "local"] +--- +#! Namespace that cert-manager has configured for ClusterResources +#@schema/validation min_len=1 +certmanagerClusterResourceNamespace: cert-manager + +#@schema/validation min_len=1 +wildcardCertificateNamespace: projectcontour + +#@schema/validation min_len=1 +domains: + - "" + +#! The provider to use for certificate management +#! acme-aws: Use AWS Route53 for DNS01 challenge +#! acme-gcp: Use GCP CloudDNS for DNS01 challenge +#! local: Use a cert-manager generated ClusterIssuer with the provided root CA +#@schema/validation one_of=["acme-aws", "acme-gcp", "local"] +#@schema/desc "The provider to use for certificate management\nacme-aws: Use AWS Route53 for DNS01 challenge\nlocal: Use a locally generated root CA\nprovided: Use a provided wildcard certificate" +certProvider: "" #! One of acme-aws, acme-gcp, local + +#@schema/desc "ACME provider related configuration" +#@schema/nullable +acme: + #@schema/validation min_len=1 + ingressClass: contour + #@schema/desc "If you want to get notified by Let's encrypt of certificate expiration" + #@schema/nullable + email: "" + #! Aws credentials for IAM user with privileges to use cert-manager DNS01 (Leave empty if using AWS IAM IRSA) + #@schema/nullable + aws: + #@schema/nullable + credentials: + #@schema/desc "AWS access key. When provided along with the aws.secretKey, a Secret will be created and referenced in the external-dns Deployment." + accessKey: "" + #@schema/desc "AWS secret key. When provided along with the aws.accessKey, a Secret will be created and referenced in the external-dns Deployment." + secretKey: "" + #@schema/nullable + certs: + #@schema/desc "Region where the cluster is located" + #@schema/validation min_len=1 + region: "" + #@schema/nullable + gcp: + #@schema/validation min_len=1 + project: "" + +#@schema/nullable +#@schema/validation one_not_null=["caCertificate", "caCertificateRef"] +local: + #@schema/nullable + caCertificate: + #@schema/validation min_len=1 + ca.crt: "" + ca.key: "" + #@schema/nullable + caCertificateRef: + #@schema/validation min_len=1 + name: "" + #@schema/validation min_len=1 + #@schema/desc "The namespace in which the Secret containing the root CA is located. When this is provided will overwrite cert-manager's ns" + namespace: "" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/.gitkeep b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/contour.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/contour.star new file mode 100644 index 000000000..41523a749 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/contour.star @@ -0,0 +1,14 @@ +load("@ytt:data", "data") + +def should_add_externaldns_annotation(): + return hasattr(data.values, "externaldns") and hasattr(data.values.externaldns, "domains") +end + + +def external_dns_annotation(): + dns_domains = [] + for domain in data.values.externaldns.domains: + dns_domains.append("*.{}.".format(domain)) + end + return ",".join(dns_domains) +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-configure-externaldns.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-configure-externaldns.yaml new file mode 100644 index 000000000..3834f79d2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-configure-externaldns.yaml @@ -0,0 +1,11 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("contour.star", "should_add_externaldns_annotation", "external_dns_annotation") + +#@overlay/match by=overlay.subset({"kind":"Service", "metadata": {"name": "envoy"}}) +--- +metadata: + annotations: + #@ if/end should_add_externaldns_annotation(): + #@overlay/match missing_ok=True + external-dns.alpha.kubernetes.io/hostname: #@ external_dns_annotation() diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-contour.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-contour.yaml new file mode 100644 index 000000000..3fc1ae194 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-contour.yaml @@ -0,0 +1,41 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("@ytt:yaml", "yaml") +#@ load("/rules.star", "default_HTTP_Versions") + +#@ def contour_config(): +incluster: true +disablePermitInsecure: false +tls: + fallback-certificate: + name: fallback-secret-name + namespace: #@ data.values.namespace + envoy-client-certificate: +accesslog-format: envoy +default-http-versions: #@ data.values.configFileContents.defaultHttpVersions or default_HTTP_Versions() +#@ end + +#@ if/end hasattr(data.values, "contour") and data.values.contour != None: +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "contour"}}) +--- +spec: + replicas: #@ data.values.contour.replicas + +#@overlay/match by=overlay.subset({"kind":"ConfigMap", "metadata": {"name": "contour"}}) +--- +data: + contour.yaml: #@ yaml.encode(contour_config()) + +#@overlay/match by=overlay.subset({"kind":"CustomResourceDefinition"}),expects="2+" +--- +#@overlay/remove +#@overlay/match missing_ok=True +status: + +#@overlay/match by=overlay.subset({"kind":"Job"}),expects=1 +--- +metadata: + #@overlay/match missing_ok=True + annotations: + #@overlay/match missing_ok=True + kapp.k14s.io/update-strategy: "fallback-on-replace" diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-infra-kind.yaml similarity index 54% rename from carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/overlays.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-infra-kind.yaml index 6ca7437e6..fa5b316f6 100644 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/overlays.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-infra-kind.yaml @@ -1,7 +1,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") -#@ if data.values.clusterInfrastructure.provider == "kind": +#@ if data.values.infraProvider == "kind": #@overlay/match by=overlay.subset({"kind": "DaemonSet", "metadata": {"name": "envoy", "namespace": "projectcontour"}}) --- spec: @@ -9,13 +9,13 @@ spec: spec: #@overlay/match missing_ok=True nodeSelector: - ingress-ready: 'true' + ingress-ready: "true" #@overlay/match missing_ok=True tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Equal - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Equal - effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Equal + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Equal + effect: NoSchedule #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-job.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-job.yaml new file mode 100644 index 000000000..c5afa5cd0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-job.yaml @@ -0,0 +1,29 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#! TODO: When cert-manager is installed on the cluster, we can remove this job + +#@overlay/match by=overlay.subset({"kind":"Job"}),expects="0+" +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: contour + env: + #@overlay/match by="name" + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + #@overlay/match missing_ok=True + apiVersion: v1 + fieldPath: metadata.namespace + +#@overlay/match by=overlay.subset({"kind":"Job"}),expects="0+" +--- +metadata: + #@overlay/match missing_ok=True + annotations: + #@overlay/match missing_ok=True + kapp.k14s.io/update-strategy: "fallback-on-replace" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-ns.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-ns.yaml new file mode 100644 index 000000000..869824988 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-ns.yaml @@ -0,0 +1,33 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@ if/end not data.values.createNamespace: +#@overlay/match by=overlay.subset({"kind":"Namespace", "metadata":{"name": "projectcontour"}}) +#@overlay/remove +--- +#@overlay/match by=overlay.subset({"kind":"Namespace", "metadata":{"name": "projectcontour"}}), expects=[0,1] +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"metadata": {"namespace": "projectcontour"}}), expects="1+" +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"kind":"RoleBinding"}),expects=[1,2,3] +--- +subjects: + #@overlay/match by=overlay.all + - kind: ServiceAccount + namespace: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"kind":"ClusterRoleBinding", "metadata": {"name": "contour"}}) +--- +subjects: + #@overlay/match by=overlay.all + - kind: ServiceAccount + namespace: #@ data.values.namespace diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-remove-hostports.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-remove-hostports.yaml new file mode 100644 index 000000000..e3bc462b3 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-remove-hostports.yaml @@ -0,0 +1,22 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@ if data.values.service.useHostPorts == False: +#@overlay/match by=overlay.subset({"kind":"DaemonSet", "metadata": {"name": "envoy"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.subset({"name": "envoy"}) + - name: envoy + ports: + #@overlay/match by=overlay.subset({"name": "http"}) + - name: http + #@overlay/remove + hostPort: 80 + #@overlay/match by=overlay.subset({"name": "https"}) + - name: https + #@overlay/remove + hostPort: 443 +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-service.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-service.yaml new file mode 100644 index 000000000..8ae0a7631 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/overlays/overlay-service.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Service", "metadata": {"name": "envoy"}}) +--- +spec: + type: #@ data.values.service.type + #@ if/end data.values.service.type=="ClusterIP": + #@overlay/remove + externalTrafficPolicy: diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/rules.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/rules.star new file mode 100644 index 000000000..ddd592529 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/rules.star @@ -0,0 +1,24 @@ +def check_infra(val): + if val["infraProvider"] in ["aws", "gcp", "azure"]: + return val["service"]["type"] == "LoadBalancer" or fail("{} infra provider requires service.type to be LoadBalancer".format(val["infraProvider"])) + end + if val["infraProvider"] in ["kind", "minikube"]: + return val["service"]["type"] == "ClusterIP" or fail("{} infra provider requires service.type to be ClusterIP".format(val["infraProvider"])) + end + return True +end + +def check_host_ports(val): + if val["infraProvider"] in ["kind", "aws", "gcp", "azure", "minikube"]: + return val["service"]["useHostPorts"] == True or fail("{} infra provider requires service.useHostPorts to be True".format(val["infraProvider"])) + end + return True +end + +def check_all(val): + return check_infra(val) and check_host_ports(val) +end + +def default_HTTP_Versions(): + return ["HTTP/1.1", "HTTP/2"] +end \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/00-common.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/00-common.yaml new file mode 100644 index 000000000..c037ee61b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/00-common.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-contour-config.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-contour-config.yaml new file mode 100644 index 000000000..59b89005e --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-contour-config.yaml @@ -0,0 +1,185 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the Gateway API configuration. + # gateway: + # controllerName: projectcontour.io/gateway-controller + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # + # Disable Envoy's non-standard merge_slashes path transformation option + # that strips duplicate slashes from request URLs. + # disableMergeSlashes: false + # + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + #### + # ExternalName Services are disabled by default due to CVE-2021-XXXXX + # You can re-enable them by setting this setting to `true`. + # This is not recommended without understanding the security implications. + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. + # enableExternalNameService: false + ## + # Address to be placed in status.loadbalancer field of Ingress objects. + # May be either a literal IP address or a host name. + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. + # ingress-status-address: local.projectcontour.io + ### Logging options + # Default setting + accesslog-format: envoy + # The default access log format is defined by Envoy but it can be customized by setting following variable. + # accesslog-format-string: "...\n" + # To enable JSON logging in Envoy + # accesslog-format: json + # accesslog-level: info + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # - "grpc_status" + # - "grpc_status_number" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # connect-timeout: 2s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # Configure the port used to access the Envoy Admin interface. + # admin-port: 9001 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED + # instead of the default UNAVAILABLE + # enableResourceExhaustedCode: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + # metrics: + # contour: + # address: 0.0.0.0 + # port: 8000 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # envoy: + # address: 0.0.0.0 + # port: 8002 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # + # listener: + # connection-balancer: exact + # socket-options: + # tos: 64 + # traffic-class: 64 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-crds.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-crds.yaml new file mode 100644 index 000000000..6695ac9b8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/01-crds.yaml @@ -0,0 +1,8547 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: contourconfigurations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourConfiguration + listKind: ContourConfigurationList + plural: contourconfigurations + shortNames: + - contourconfig + singular: contourconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourConfiguration is the schema for a Contour instance. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. + properties: + debug: + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". + type: string + port: + description: |- + Defines the Contour debug address port. + Contour's default is 6060. + type: integer + type: object + enableExternalNameService: + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. + type: boolean + envoy: + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. + properties: + circuitBreakers: + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object + dnsLookupFamily: + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. + type: string + maxRequestsPerConnection: + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + type: object + defaultHTTPVersions: + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. + items: + description: HTTPVersionType is the name of a supported HTTP + version. + type: string + type: array + health: + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. + type: string + disableAllowChunkedLength: + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. + type: boolean + disableMergeSlashes: + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. + type: boolean + httpMaxConcurrentStreams: + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. + format: int32 + minimum: 1 + type: integer + maxConnectionsPerListener: + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. + format: int32 + minimum: 1 + type: integer + maxRequestsPerConnection: + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + maxRequestsPerIOCycle: + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + serverHeaderTransformation: + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. + type: string + socketOptions: + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. + properties: + tos: + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + trafficClass: + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + type: object + tls: + description: TLS holds various configurable Envoy TLS listener + values. + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + useProxyProtocol: + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. + type: string + accessLogFormatString: + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. + type: string + accessLogJSONFields: + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. + type: integer + numTrustedHops: + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. + format: int32 + type: integer + type: object + service: + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. + properties: + connectTimeout: + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. + type: string + connectionIdleTimeout: + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. + type: string + connectionShutdownGracePeriod: + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. + type: string + delayedCloseTimeout: + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. + type: string + maxConnectionDuration: + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. + type: string + requestTimeout: + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. + type: string + type: object + type: object + featureFlags: + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. + items: + type: string + type: array + gateway: + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. + properties: + controllerName: + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. + Deprecated: users should use GatewayRef, or the Gateway provisioner, + in place of this field. This field will be removed in a future release. + type: string + gatewayRef: + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + globalExtAuth: + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy will + buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of message + body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to Authorization + Server is in raw bytes. + type: boolean + type: object + type: object + health: + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces for + root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor entry + with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of the + descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the key + to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name of + the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be equal + to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of the + descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableResourceExhaustedCode: + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + type: boolean + enableXRateLimitHeaders: + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + tracing: + description: Tracing defines properties for exporting trace data to + OpenTelemetry. + properties: + customTags: + description: CustomTags defines a list of custom tags with unique + tag name. + items: + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. + properties: + literal: + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. + type: string + requestHeaderName: + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. + type: string + tagName: + description: TagName is the unique name of the custom tag. + type: string + required: + - tagName + type: object + type: array + extensionService: + description: ExtensionService identifies the extension service + defining the otel-collector. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + includePodDetail: + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + type: boolean + maxPathTagLength: + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. + format: int32 + type: integer + overallSampling: + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. + type: string + serviceName: + description: |- + ServiceName defines the name for the service. + contour's default is contour. + type: string + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". + minLength: 1 + type: string + port: + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. + type: string + type: object + type: object + status: + description: ContourConfigurationStatus defines the observed state of + a ContourConfiguration resource. + properties: + conditions: + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: contourdeployments.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourDeployment + listKind: ContourDeploymentList + plural: contourdeployments + shortNames: + - contourdeploy + singular: contourdeployment + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourDeployment is the schema for a Contour Deployment. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + ContourDeploymentSpec specifies options for how a Contour + instance should be provisioned. + properties: + contour: + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. + properties: + deployment: + description: Deployment describes the settings for running contour + as a `Deployment`. + properties: + replicas: + description: Replicas is the desired number of replicas. + format: int32 + minimum: 0 + type: integer + strategy: + description: Strategy describes the deployment strategy to + use to replace existing pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + disabledFeatures: + description: |- + DisabledFeatures defines an array of resources that will be ignored by + contour reconciler. + items: + enum: + - grpcroutes + - tlsroutes + - extensionservices + - backendtlspolicies + type: string + maxItems: 42 + minItems: 1 + type: array + kubernetesLogLevel: + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. + maximum: 9 + minimum: 0 + type: integer + logLevel: + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". + type: string + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Contour pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. + type: object + tolerations: + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. + type: object + replicas: + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + format: int32 + minimum: 0 + type: integer + resources: + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + watchNamespaces: + description: |- + WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance + to only watch this subset of namespaces. + items: + description: |- + Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label. + This validation is based off of the corresponding Kubernetes validation: + https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187 + This is used for Namespace name validation here: + https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63 + Valid values include: + * "example" + Invalid values include: + * "example.com" - "." is an invalid character + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + maxItems: 42 + minItems: 1 + type: array + type: object + envoy: + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. + properties: + baseID: + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. + format: int32 + minimum: 0 + type: integer + daemonSet: + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil + properties: + updateStrategy: + description: Strategy describes the deployment strategy to + use to replace existing DaemonSet pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + type: object + deployment: + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil + properties: + replicas: + description: Replicas is the desired number of replicas. + format: int32 + minimum: 0 + type: integer + strategy: + description: Strategy describes the deployment strategy to + use to replace existing pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + extraVolumeMounts: + description: ExtraVolumeMounts holds the extra volume mounts to + add (normally used with extraVolumes). + items: + description: VolumeMount describes a mounting of a Volume within + a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + extraVolumes: + description: ExtraVolumes holds the extra volumes to add. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount + on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the + blob storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure managed + data disk (only in managed availability set). defaults + to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host + that shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the + pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the + pod: only annotations, labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must not + be absolute or contain the ''..'' path. Must + be utf-8 encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that + is attached to a kubelet's host machine and then exposed + to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use + for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along + with other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the + downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the secret + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether the Secret + or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + logLevel: + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". + type: string + networkPublishing: + description: NetworkPublishing defines how to expose Envoy to + a network. + properties: + externalTrafficPolicy: + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". + type: string + ipFamilyPolicy: + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). + type: string + serviceAnnotations: + additionalProperties: + type: string + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. + type: object + type: + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes + NodePort Service is created to publish the network endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes + ClusterIP Service is created to publish the network endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. + type: string + type: object + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Envoy pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. + type: object + tolerations: + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + overloadMaxHeapSize: + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ + format: int64 + type: integer + podAnnotations: + additionalProperties: + type: string + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. + type: object + replicas: + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + format: int32 + minimum: 0 + type: integer + resources: + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + workloadType: + description: |- + WorkloadType is the type of workload to install Envoy + as. Choices are DaemonSet and Deployment. If unset, defaults + to DaemonSet. + type: string + type: object + resourceLabels: + additionalProperties: + type: string + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. + type: object + runtimeSettings: + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. + properties: + debug: + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". + type: string + port: + description: |- + Defines the Contour debug address port. + Contour's default is 6060. + type: integer + type: object + enableExternalNameService: + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. + type: boolean + envoy: + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. + properties: + circuitBreakers: + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object + dnsLookupFamily: + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. + type: string + maxRequestsPerConnection: + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + type: object + defaultHTTPVersions: + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. + items: + description: HTTPVersionType is the name of a supported + HTTP version. + type: string + type: array + health: + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. + type: string + disableAllowChunkedLength: + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. + type: boolean + disableMergeSlashes: + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. + type: boolean + httpMaxConcurrentStreams: + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. + format: int32 + minimum: 1 + type: integer + maxConnectionsPerListener: + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. + format: int32 + minimum: 1 + type: integer + maxRequestsPerConnection: + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + maxRequestsPerIOCycle: + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + serverHeaderTransformation: + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. + type: string + socketOptions: + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. + properties: + tos: + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + trafficClass: + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + type: object + tls: + description: TLS holds various configurable Envoy TLS + listener values. + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + useProxyProtocol: + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. + type: string + accessLogFormatString: + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. + type: string + accessLogJSONFields: + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. + type: integer + numTrustedHops: + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. + format: int32 + type: integer + type: object + service: + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. + properties: + connectTimeout: + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. + type: string + connectionIdleTimeout: + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. + type: string + connectionShutdownGracePeriod: + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. + type: string + delayedCloseTimeout: + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. + type: string + maxConnectionDuration: + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. + type: string + requestTimeout: + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. + type: string + type: object + type: object + featureFlags: + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. + items: + type: string + type: array + gateway: + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. + properties: + controllerName: + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. + Deprecated: users should use GatewayRef, or the Gateway provisioner, + in place of this field. This field will be removed in a future release. + type: string + gatewayRef: + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + globalExtAuth: + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + type: object + health: + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableResourceExhaustedCode: + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + type: boolean + enableXRateLimitHeaders: + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + tracing: + description: Tracing defines properties for exporting trace data + to OpenTelemetry. + properties: + customTags: + description: CustomTags defines a list of custom tags with + unique tag name. + items: + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. + properties: + literal: + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. + type: string + requestHeaderName: + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. + type: string + tagName: + description: TagName is the unique name of the custom + tag. + type: string + required: + - tagName + type: object + type: array + extensionService: + description: ExtensionService identifies the extension service + defining the otel-collector. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + includePodDetail: + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + type: boolean + maxPathTagLength: + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. + format: int32 + type: integer + overallSampling: + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. + type: string + serviceName: + description: |- + ServiceName defines the name for the service. + contour's default is contour. + type: string + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". + minLength: 1 + type: string + port: + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. + type: string + type: object + type: object + type: object + status: + description: ContourDeploymentStatus defines the observed state of a ContourDeployment + resource. + properties: + conditions: + description: Conditions describe the current conditions of the ContourDeployment + resource. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. + enum: + - v3 + type: string + services: + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. + items: + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. + properties: + name: + description: |- + Name is the name of Kubernetes service that will accept service + traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' + required: + - services + type: object + status: + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. + properties: + conditions: + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. + items: + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. + properties: + exact: + description: |- + Exact defines a exact match for a request. + This field is not allowed in include match conditions. + type: string + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + queryParameter: + description: QueryParameter specifies the query parameter + condition to match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the query parameter value. + type: string + exact: + description: Exact specifies a string that the query + parameter value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. + type: string + prefix: + description: Prefix defines a prefix match for the + query parameter value. + type: string + present: + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. + type: string + suffix: + description: Suffix defines a suffix match for a query + parameter value. + type: string + required: + - name + type: object + regex: + description: |- + Regex defines a regex match for a request. + This field is not allowed in include match conditions. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + ingressClassName: + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. + type: string + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + conditions: + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. + items: + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. + properties: + exact: + description: |- + Exact defines a exact match for a request. + This field is not allowed in include match conditions. + type: string + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + queryParameter: + description: QueryParameter specifies the query parameter + condition to match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the query parameter value. + type: string + exact: + description: Exact specifies a string that the query + parameter value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. + type: string + prefix: + description: Prefix defines a prefix match for the + query parameter value. + type: string + present: + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. + type: string + suffix: + description: Suffix defines a suffix match for a query + parameter value. + type: string + required: + - name + type: object + regex: + description: |- + Regex defines a regex match for a request. + This field is not allowed in include match conditions. + type: string + type: object + type: array + cookieRewritePolicies: + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + directResponsePolicy: + description: DirectResponsePolicy returns an arbitrary HTTP + response directly. + properties: + body: + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. + type: string + statusCode: + description: StatusCode is the HTTP response status to be + returned. + maximum: 599 + minimum: 200 + type: integer + required: + - statusCode + type: object + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + expectedStatuses: + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. + items: + properties: + end: + description: The end (exclusive) of a range of HTTP + status codes. + format: int64 + maximum: 600 + minimum: 101 + type: integer + start: + description: The start (inclusive) of a range of HTTP + status codes. + format: int64 + maximum: 599 + minimum: 100 + type: integer + required: + - end + - start + type: object + type: array + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + internalRedirectPolicy: + description: The policy to define when to handle redirects responses + internally. + properties: + allowCrossSchemeRedirect: + default: Never + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. + enum: + - Always + - Never + - SafeOnly + type: string + denyRepeatedRouteRedirect: + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. + type: boolean + maxInternalRedirects: + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. + format: int32 + type: integer + redirectResponseCodes: + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. + items: + description: RedirectResponseCode is a uint32 type alias + with validation to ensure that the value is valid. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: int32 + type: integer + type: array + type: object + ipAllowPolicy: + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + ipDenyPolicy: + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + jwtVerificationPolicy: + description: The policy for verifying JWTs for requests to this + route. + properties: + disabled: + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. + type: boolean + require: + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. + type: string + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + pathRewritePolicy: + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. + minLength: 1 + type: string + replacement: + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + local: + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. + properties: + burst: + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. + format: int32 + type: integer + requests: + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + requestRedirectPolicy: + description: RequestRedirectPolicy defines an HTTP redirection. + properties: + hostname: + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. + pattern: ^\/.*$ + type: string + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. + pattern: ^\/.*$ + type: string + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status code to be used + in response. + enum: + - 301 + - 302 + type: integer + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + default: 1 + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. + format: int64 + minimum: -1 + type: integer + perTryTimeout: + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. + items: + format: int32 + type: integer + type: array + retryOn: + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for + which attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + healthPort: + description: |- + HealthPort is the port for this service healthcheck. + If not specified, Port is used for service healthchecks. + maximum: 65535 + minimum: 1 + type: integer + mirror: + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values + type: boolean + name: + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + slowStartPolicy: + description: Slow start will gradually increase amount + of traffic to a newly added endpoint. + properties: + aggression: + default: "1.0" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ + type: string + minWeightPercent: + default: 10 + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + window: + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + required: + - window + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + healthPort: + description: |- + HealthPort is the port for this service healthcheck. + If not specified, Port is used for service healthchecks. + maximum: 65535 + minimum: 1 + type: integer + mirror: + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values + type: boolean + name: + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + slowStartPolicy: + description: Slow start will gradually increase amount of + traffic to a newly added endpoint. + properties: + aggression: + default: "1.0" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ + type: string + minWeightPercent: + default: 10 + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + window: + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + required: + - window + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. + properties: + authorization: + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + allowOrigin: + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. + items: + type: string + minItems: 1 + type: array + allowPrivateNetwork: + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. + type: boolean + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + maxAge: + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + ipAllowPolicy: + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + ipDenyPolicy: + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + jwtProviders: + description: Providers to use for verifying JSON Web Tokens (JWTs) + on the virtual host. + items: + description: JWTProvider defines how to verify JWTs on requests. + properties: + audiences: + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. + items: + type: string + type: array + default: + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly + identify the provider they require. + type: boolean + forwardJWT: + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, + the JWT is not forwarded. + type: boolean + issuer: + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. + type: string + name: + description: Unique name for the provider. + minLength: 1 + type: string + remoteJWKS: + description: Remote JWKS to use for verifying JWT signatures. + properties: + cacheDuration: + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + dnsLookupFamily: + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + enum: + - auto + - v4 + - v6 + type: string + timeout: + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + uri: + description: The URI for the JWKS. + minLength: 1 + type: string + validation: + description: UpstreamValidation defines how to verify + the JWKS's TLS certificate. + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' + required: + - uri + type: object + required: + - name + - remoteJWKS + type: object + type: array + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + local: + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. + properties: + burst: + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. + format: int32 + type: integer + requests: + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. + properties: + clientValidation: + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. + properties: + caSecret: + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + minLength: 1 + type: string + crlOnlyVerifyLeafCert: + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. + type: boolean + crlSecret: + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + minLength: 1 + type: string + forwardClientCertificate: + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. + properties: + cert: + description: Client cert in URL encoded PEM format. + type: boolean + chain: + description: Client cert chain (including the leaf + cert) in URL encoded PEM format. + type: boolean + dns: + description: DNS type Subject Alternative Names of + the client cert. + type: boolean + subject: + description: Subject of the client cert. + type: boolean + uri: + description: URI type Subject Alternative Name of + the client cert. + type: boolean + type: object + optionalClientCertificate: + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. + type: boolean + skipClientCertValidation: + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. + type: boolean + type: object + enableFallbackCertificate: + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. + type: boolean + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. + type: string + passthrough: + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. + type: boolean + secretName: + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. + If specified, the named secret must contain a matching certificate + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + default: + currentStatus: NotReconciled + description: Waiting for controller + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. + properties: + conditions: + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-job-certgen.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-job-certgen.yaml new file mode 100644 index 000000000..54dc987f7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-job-certgen.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-v1-28-5 + namespace: projectcontour +spec: + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-rbac.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-rbac.yaml new file mode 100644 index 000000000..9766df6a9 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-rbac.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour-rolebinding + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-role-contour.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-role-contour.yaml new file mode 100644 index 000000000..21bf57381 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-role-contour.yaml @@ -0,0 +1,116 @@ +# The following ClusterRole and Role are generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: contour +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - namespaces + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + - gatewayclasses + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-contour.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-contour.yaml new file mode 100644 index 000000000..8be5bc9a7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-contour.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-envoy.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-envoy.yaml new file mode 100644 index 000000000..1da8fc0a6 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/02-service-envoy.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: envoy + namespace: projectcontour + annotations: + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + targetPort: 8080 + - port: 443 + name: https + protocol: TCP + targetPort: 8443 + selector: + app: envoy + type: LoadBalancer diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-contour.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-contour.yaml new file mode 100644 index 000000000..331d87d6c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-contour.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-envoy.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-envoy.yaml new file mode 100644 index 000000000..cf3ecb6f9 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/03-envoy.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.29.5 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/README.md b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/README.md new file mode 100644 index 000000000..5edf32fc8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream/README.md @@ -0,0 +1,84 @@ +# Contour Installation + +This is an installation guide to configure Contour in a Deployment separate from Envoy which allows for easier scaling of each component. + +This configuration has several advantages: + +1. Envoy runs as a daemonset which allows for distributed scaling across workers in the cluster +2. Communication between Contour and Envoy is secured by mutually-checked self-signed certificates. + +## Moving parts + +- Contour is run as Deployment and Envoy as a Daemonset +- Envoy runs on host networking +- Envoy runs on ports 80 & 443 + +The TLS secrets used to secure the gRPC session between Contour and Envoy are generated using a Job that runs `contour certgen`. +For detailed instructions on how to configure the required secrets manually, see the [step-by-step TLS HOWTO](https://projectcontour.io/docs/main/grpc-tls-howto). + +## Deploy Contour + +Either: + +1. Run `kubectl apply -f https://projectcontour.io/quickstart/contour.yaml` + +or: +Clone or fork the repository, then run: + +```bash +kubectl apply -f examples/contour +``` + +This will: + +- set up RBAC and Contour's CRDs (CRDs include HTTPProxy, TLSCertificateDelegation) +- run a Kubernetes Job that will generate one-year validity certs and put them into `projectcontour` +- Install Contour and Envoy in a Deployment and Daemonset respectively. + +**NOTE**: The current configuration exposes the `/stats` path from the Envoy Admin UI so that Prometheus can scrape for metrics. + +## Test + +1. Install a workload (see the kuard example in the [main deployment guide](https://projectcontour.io/docs/main/deploy-options/#test-with-httpproxy)). + +## Deploying with Host Networking enabled for Envoy + +In order to deploy the Envoy Daemonset with host networking enabled, you need to make two changes. + +In the Envoy daemonset definition, at the Pod spec level, change: + +```yaml +dnsPolicy: ClusterFirst +``` + +to + +```yaml +dnsPolicy: ClusterFirstWithHostNet +``` + +and add + +```yaml +hostNetwork: true +``` + +Then, in the Envoy Service definition, change the annotation from: + +```yaml + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +``` + +to + +```yaml + service.beta.kubernetes.io/aws-load-balancer-type: nlb +``` + +Then, apply the example as normal. This will still deploy a LoadBalancer Service, but it will be an NLB instead of an ELB. diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/values-schema.yaml new file mode 100644 index 000000000..a3d9c9551 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/values-schema.yaml @@ -0,0 +1,35 @@ +#@ load("rules.star", "check_all") + +#@data/values-schema +#@schema/validation ("check compliance of values", check_all) +--- +#@schema/desc "Underlying infrastructure provider." +#@schema/validation one_of=["aws", "gcp", "azure", "kind", "minikube", "custom"] +infraProvider: "custom" + +#@schema/desc "Name of the namespace to use" +namespace: projectcontour +#@schema/desc "Should the namespace be created" +createNamespace: true + +#@schema/desc "Contour dpeloyment configuration" +#@schema/nullable +contour: + replicas: 1 + +#@schema/desc "Envoy service configuration" +service: + #@schema/validation one_of=["ClusterIP", "LoadBalancer"] + type: LoadBalancer + useHostPorts: true + +#@schema/desc "Configuration for externaldns" +#@schema/nullable +externaldns: + domains: + - "" + +#@schema/desc "Configuration for the Contour ingress controller" +configFileContents: + defaultHttpVersions: + - "" diff --git a/carvel-packages/training-platform/bundle/config/00-assert.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-assert.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/00-assert.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-assert.yaml diff --git a/carvel-packages/training-platform/bundle/config/00-package.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-package.star similarity index 88% rename from carvel-packages/training-platform/bundle/config/00-package.star rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-package.star index ba5d602e3..a449d45d8 100644 --- a/carvel-packages/training-platform/bundle/config/00-package.star +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-package.star @@ -20,11 +20,8 @@ def xgetattr(object, path, default=None): end def image_reference(name): - registry = data.values.imageRegistry.host - if not registry: - registry = "registry.default.svc.cluster.local" - end - if data.values.imageRegistry.namespace: + registry = xgetattr(data.values, "imageRegistry.host", "registry.default.svc.cluster.local") + if xgetattr(data.values, "imageRegistry.namespace", "") != "": registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) end image = "{}/educates-{}:{}".format(registry, name, data.values.version) diff --git a/carvel-packages/training-platform/bundle/config/00-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml similarity index 97% rename from carvel-packages/training-platform/bundle/config/00-schema.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml index e46642f2c..8c4cc4c89 100644 --- a/carvel-packages/training-platform/bundle/config/00-schema.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-schema.yaml @@ -1,6 +1,5 @@ #@data/values-schema --- - #! The version of Educates to be used. This is used internally for development #! and experimentation and should not be overridden through a values file in #! normal use. @@ -12,7 +11,6 @@ version: "latest" #! and should not be overridden through a values file in normal use. operator: - namespace: "educates" apiGroup: "educates.dev" statusKey: "educates" @@ -27,8 +25,10 @@ operator: #! registry as part of the Educates deployment which is done when secure #! connections are available. +#@schema/nullable imageRegistry: - + #@schema/nullable + #@schema/validation min_len=1 host: "" namespace: "" @@ -37,36 +37,30 @@ imageRegistry: #! in normal use. imageVersions: - - name: "" image: "" #! Settings for customizing container runtime used for Educates deployments. clusterRuntime: - #! Runtime class applied to deployments. Can be set where pods should be run #! using a container runtime other than the default. For example one could #! select Kata containers as runtime so workshop containers are isolated in an #! additional lightweight VM. Only workshop containers currently have this - #! runtime class applied. - + #! runtime class applied. class: "" #! Settings for customizing ingress details by which Educates will be accessed. clusterIngress: - #! Ingress domain. DNS parent subdomain used for training portal and workshop #! ingresses. - domain: "educates-local-dev.test" #! Ingress class. Required when multiple ingress controllers exist and it is #! necessary to use one which is not marked as the default. Note that any #! workshop content which has users create ingresses will need to separately #! handle that a non default ingress class needs to be used. - class: "" #! Ingress protocol. Should only be set where an ingress secret has not been @@ -75,16 +69,13 @@ clusterIngress: #! would be necessary to override it with the value "https". Otherwise leave #! as empty and the value will be calculated automatically based on whether an #! ingress secret was supplied. - protocol: "" #! TLS certificate for secure ingress. Must be a wildcard certificate for #! children of the DNS parent ingress subdomain. Full certificate chain and #! private key need to be defined in the values. Will be ignored if the #! "tlsCertificateRef" setting is defined. - tlsCertificate: - tls.crt: "" tls.key: "" @@ -94,7 +85,6 @@ clusterIngress: #! secret must reside in the Educates namespace. tlsCertificateRef: - namespace: "" name: "" @@ -102,7 +92,6 @@ clusterIngress: #! the "caCertificateRef" setting is defined. caCertificate: - ca.crt: "" #! Reference to CA certificate for verifying wildcard TLS certificate. Takes @@ -110,7 +99,6 @@ clusterIngress: #! secret must reside in the Educates namespace. caCertificateRef: - namespace: "" name: "" @@ -118,18 +106,15 @@ clusterIngress: #! cluster nodes. caNodeInjector: - enabled: false #! Settings for overriding options for portal and workshop session cookies. sessionCookies: - #! Session cookie domain. DNS parent domain used for training portal and #! workshop session cookies. May need to be set to a parent domain of the #! ingress domain if cross domain cookie sharing is necessary due to #! embedding. - domain: "" #! Configuration for persistent volumes. The default storage class specified @@ -141,7 +126,6 @@ sessionCookies: #! cannot be used in a Kubernetes cluster which enforces pod security policies. clusterStorage: - class: "" #@schema/nullable user: 0 @@ -155,7 +139,6 @@ clusterStorage: #! copied into the Educates namespace. clusterSecrets: - pullSecretRefs: - namespace: "" name: "" @@ -165,14 +148,12 @@ clusterSecrets: #! "none". clusterSecurity: - policyEngine: "none" #! Rules engine used to enforce additional restrictions on what workshop users #! can do beyond what RBAC limits. Options are "kyverno" and "none". workshopSecurity: - rulesEngine: "kyverno" #! User credentials for accessing training portal instances. If not specified @@ -184,7 +165,6 @@ workshopSecurity: #! portal. They are only usable with the training portal REST API. trainingPortal: - credentials: admin: username: "educates" @@ -208,7 +188,6 @@ trainingPortal: #! set to "https://registry-1.docker.io". dockerDaemon: - networkMTU: 1400 proxyCache: @@ -220,10 +199,9 @@ dockerDaemon: #! By default will block AWS EC2 metadata access point. clusterNetwork: - #@schema/default ["169.254.169.254/32", "fd00:ec2::254/128"] blockCIDRs: - - "" + - "" #! Analytics allows for tracking for workshop sessions. Note that Google #! analytics is not a reliable method due to being browser based and many users @@ -231,7 +209,6 @@ clusterNetwork: #! more detailed analytics. workshopAnalytics: - google: trackingId: "" @@ -247,7 +224,6 @@ workshopAnalytics: #! Overrides for styling of training portal and workshop dashboard interface. websiteStyling: - workshopDashboard: html: "" script: "" @@ -276,14 +252,18 @@ websiteStyling: namespace: "" frameAncestors: - - "" + - "" #! Pre-pull selected workshop images to nodes in the cluster. Should be empty #! list if no images should be prepulled. This is done to reduce start up times #! for workhop sessions the first time on each node in the cluster. imagePuller: - + enabled: true #@schema/default ["base-environment"] prePullImages: - "" + +lookupService: + enabled: false + ingressPrefix: "educates-api" \ No newline at end of file diff --git a/carvel-packages/training-platform/bundle/config/00-values.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-values.yaml similarity index 65% rename from carvel-packages/training-platform/bundle/config/00-values.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-values.yaml index 62e93035e..3f412e0ed 100644 --- a/carvel-packages/training-platform/bundle/config/00-values.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/00-values.yaml @@ -15,7 +15,4 @@ imageVersions: - name: rancher-k3s-v1.30 image: "rancher/k3s:v1.30.1-k3s1" - name: loftsh-vcluster - image: "loftsh/vcluster:0.18.1" -- name: contour-bundle - #! contour.community.tanzu.vmware.com.1.22.0 - image: "projects.registry.vmware.com/tce/contour@sha256:b68ad8ec3012db7d2a2e84f8544685012e2dca09d28d54dce8735fb60f0d05bf" + image: "loftsh/vcluster:0.18.1" \ No newline at end of file diff --git a/carvel-packages/training-platform/bundle/config/01-clusterpolicies.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-clusterpolicies.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/01-clusterpolicies.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-clusterpolicies.yaml diff --git a/carvel-packages/training-platform/bundle/config/01-clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-clusterroles.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/01-clusterroles.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-clusterroles.yaml diff --git a/carvel-packages/training-platform/bundle/config/01-podsecuritypolicies.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-podsecuritypolicies.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/01-podsecuritypolicies.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-podsecuritypolicies.yaml diff --git a/carvel-packages/training-platform/bundle/config/01-securitycontextconstraints.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-securitycontextconstraints.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/01-securitycontextconstraints.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/01-securitycontextconstraints.yaml diff --git a/carvel-packages/training-platform/bundle/config/02-namespaces.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/02-namespaces.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/02-namespaces.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/02-namespaces.yaml diff --git a/carvel-packages/training-platform/bundle/config/06-configmaps.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/06-configmaps.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/06-configmaps.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/06-configmaps.yaml diff --git a/carvel-packages/training-platform/bundle/config/06-secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/06-secrets.yaml similarity index 93% rename from carvel-packages/training-platform/bundle/config/06-secrets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/06-secrets.yaml index 4460eea16..dc41d5ae7 100644 --- a/carvel-packages/training-platform/bundle/config/06-secrets.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/06-secrets.yaml @@ -15,15 +15,9 @@ metadata: annotations: kapp.k14s.io/versioned: "" kapp.k14s.io/num-versions: "5" -#@ if data.values.clusterIngress.domain == "educates-local-dev.test": -stringData: - values.yaml: #@ yaml.encode(data.values) - kyverno-policies.yaml: #@ yaml.encode(kyverno_policies) -#@ else: data: values.yaml: #@ base64.encode(yaml.encode(data.values)) kyverno-policies.yaml: #@ base64.encode(yaml.encode(kyverno_policies)) -#@ end #@ ingress_certificate = getattr(data.values.clusterIngress.tlsCertificate, "tls.crt") #@ ingress_private_key = getattr(data.values.clusterIngress.tlsCertificate, "tls.key") diff --git a/carvel-packages/training-platform/bundle/config/07-daemonsets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/07-daemonsets.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/07-daemonsets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/07-daemonsets.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml new file mode 100644 index 000000000..e80049907 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml @@ -0,0 +1,35 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:library", "library") +#@ load("@ytt:template", "template") +#@ load("/00-package.star", "image_reference", "image_pull_policy") + +#@ ingress_certificate = getattr(data.values.clusterIngress.tlsCertificate, "tls.crt") +#@ ingress_private_key = getattr(data.values.clusterIngress.tlsCertificate, "tls.key") +#@ image = image_reference("lookup-service") + +#@ if data.values.clusterIngress.tlsCertificateRef.name != None: +#@ ingress_secret = data.values.clusterIngress.tlsCertificateRef.name +#@ elif (ingress_certificate and ingress_private_key): +#@ ingress_secret = "{}-tls".format(data.values.clusterIngress.domain) +#@ end + +#@ ingress_ca_secret = data.values.clusterIngress.caCertificateRef.name + +#@ workshop_base_image = image_reference("base-environment") +#@ workshop_base_image_pull_policy = image_pull_policy(workshop_base_image) + +#@ def lookup_service_values(): +tld: #@ "{}.{}".format(data.values.lookupService.ingressPrefix, data.values.clusterIngress.domain) +certName: #@ ingress_secret +caName: #@ ingress_ca_secret +image: #@ image +imagePullPolicy: #@ image_pull_policy(image) +workshopBaseImage: #@ workshop_base_image +workshopBaseImagePullPolicy: #@ workshop_base_image_pull_policy +#@ end + +#@ if data.values.lookupService.enabled: +--- #@ template.replace(library.get("lookup-service").with_data_values(lookup_service_values(), plain=True).eval()) +#@ end + +--- #@ template.replace(library.get("lookup-service-token").with_data_values({}, plain=True).eval()) diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/01-clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-clusterroles.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/01-clusterroles.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-clusterroles.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretcopier.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretcopier.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretcopier.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretcopier.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretexporter.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretexporter.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretexporter.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretexporter.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretimporter.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretimporter.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretimporter.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretimporter.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretinjector.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretinjector.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/01-crds-secretinjector.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/01-crds-secretinjector.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/04-serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/04-serviceaccounts.yaml similarity index 66% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/04-serviceaccounts.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/04-serviceaccounts.yaml index ac3c56c60..00a271165 100644 --- a/carvel-packages/training-platform/bundle/config/10-secrets-manager/04-serviceaccounts.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/04-serviceaccounts.yaml @@ -9,5 +9,6 @@ metadata: annotations: kapp.k14s.io/change-group: #@ "secrets.{}/service-accounts".format(data.values.operator.apiGroup) #! Following currently needed for kapp on OpenShift. - kapp.k14s.io/create-strategy: fallback-on-update - kapp.k14s.io/update-strategy: skip + #! TODO: Bring kapp rebaseRules for Openshift service accounts +#! kapp.k14s.io/create-strategy: fallback-on-update +#! kapp.k14s.io/update-strategy: skip diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/05-clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/05-clusterrolebindings.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/05-clusterrolebindings.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/05-clusterrolebindings.yaml diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/06-secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/06-secrets.yaml similarity index 90% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/06-secrets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/06-secrets.yaml index f7238ca7f..184eeff3e 100644 --- a/carvel-packages/training-platform/bundle/config/10-secrets-manager/06-secrets.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/06-secrets.yaml @@ -9,5 +9,5 @@ metadata: annotations: kubernetes.io/service-account.name: "secrets-manager" kapp.k14s.io/change-rule: #@ "upsert after upserting secrets.{}/service-accounts".format(data.values.operator.apiGroup) - kapp.k14s.io/update-strategy: skip +#! kapp.k14s.io/update-strategy: skip type: kubernetes.io/service-account-token diff --git a/carvel-packages/training-platform/bundle/config/10-secrets-manager/07-deployments.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/07-deployments.yaml similarity index 92% rename from carvel-packages/training-platform/bundle/config/10-secrets-manager/07-deployments.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/07-deployments.yaml index 3b98a4005..95096d2e7 100644 --- a/carvel-packages/training-platform/bundle/config/10-secrets-manager/07-deployments.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/10-secrets-manager/07-deployments.yaml @@ -39,15 +39,17 @@ spec: drop: ["ALL"] startupProbe: initialDelaySeconds: 15 - periodSeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 4 httpGet: path: /healthz?probe=startup port: 8080 livenessProbe: - initialDelaySeconds: 5 - periodSeconds: 5 + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 httpGet: diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-clusterroles.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-clusterroles.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-clusterroles.yaml diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-trainingportal.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-trainingportal.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-trainingportal.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-trainingportal.yaml diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshop.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshop.yaml similarity index 96% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshop.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshop.yaml index 2e0cd24b0..791085558 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshop.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshop.yaml @@ -994,33 +994,6 @@ spec: type: string storage: type: string - services: - type: object - properties: - fromHost: - type: array - items: - type: object - required: - - from - - to - properties: - from: - type: string - to: - type: string - fromVirtual: - type: array - items: - type: object - required: - - from - - to - properties: - from: - type: string - to: - type: string ingress: type: object required: @@ -1088,24 +1061,8 @@ spec: type: string port: type: integer - path: - type: string - pathRewrite: - type: array - items: - type: object - required: - - pattern - - replacement - properties: - pattern: - type: string - replacement: - type: string changeOrigin: type: boolean - secure: - type: boolean headers: type: array items: diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopallocation.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopallocation.yaml similarity index 96% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopallocation.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopallocation.yaml index 87a70c845..2ca1fecbb 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopallocation.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopallocation.yaml @@ -40,9 +40,12 @@ spec: type: object required: - name + - user properties: name: type: string + user: + type: string status: type: object x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopenvironment.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopenvironment.yaml similarity index 97% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopenvironment.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopenvironment.yaml index 50ccb26b0..b733c1f7e 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopenvironment.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopenvironment.yaml @@ -154,6 +154,12 @@ spec: type: string namespace: type: string + capacity: + type: integer + initial: + type: integer + reserved: + type: integer secrets: type: object properties: diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshoprequest.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshoprequest.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshoprequest.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshoprequest.yaml diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopsession.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopsession.yaml similarity index 98% rename from carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopsession.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopsession.yaml index b55fc2d22..2f644898e 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/01-crds-workshopsession.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/01-crds-workshopsession.yaml @@ -151,6 +151,8 @@ spec: properties: enabled: type: boolean + user: + type: string additionalPrinterColumns: - name: URL type: string diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/04-serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/04-serviceaccounts.yaml similarity index 61% rename from carvel-packages/training-platform/bundle/config/11-session-manager/04-serviceaccounts.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/04-serviceaccounts.yaml index 569883812..0f43a5b8d 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/04-serviceaccounts.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/04-serviceaccounts.yaml @@ -9,8 +9,9 @@ metadata: annotations: kapp.k14s.io/change-group: #@ "training.{}/service-accounts".format(data.values.operator.apiGroup) #! Following currently needed for kapp on OpenShift. - kapp.k14s.io/create-strategy: fallback-on-update - kapp.k14s.io/update-strategy: skip + #! TODO: Bring kapp rebaseRules for Openshift service accounts +#! kapp.k14s.io/create-strategy: fallback-on-update +#! kapp.k14s.io/update-strategy: skip --- apiVersion: v1 @@ -20,5 +21,6 @@ metadata: namespace: #@ data.values.operator.namespace annotations: #! Following currently needed for kapp on OpenShift. - kapp.k14s.io/create-strategy: fallback-on-update - kapp.k14s.io/update-strategy: skip + #! TODO: Bring kapp rebaseRules for Openshift service accounts +#! kapp.k14s.io/create-strategy: fallback-on-update +#! kapp.k14s.io/update-strategy: skip diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/05-clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/05-clusterrolebindings.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/05-clusterrolebindings.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/05-clusterrolebindings.yaml diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/06-secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/06-secrets.yaml similarity index 90% rename from carvel-packages/training-platform/bundle/config/11-session-manager/06-secrets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/06-secrets.yaml index 428e39562..916d93f02 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/06-secrets.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/06-secrets.yaml @@ -9,5 +9,5 @@ metadata: annotations: kubernetes.io/service-account.name: "session-manager" kapp.k14s.io/change-rule: #@ "upsert after upserting training.{}/service-accounts".format(data.values.operator.apiGroup) - kapp.k14s.io/update-strategy: skip +#! kapp.k14s.io/update-strategy: skip type: kubernetes.io/service-account-token diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/07-daemonsets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-daemonsets.yaml similarity index 95% rename from carvel-packages/training-platform/bundle/config/11-session-manager/07-daemonsets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-daemonsets.yaml index 0804b4351..a30ef263a 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/07-daemonsets.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-daemonsets.yaml @@ -2,13 +2,11 @@ #@ load("/00-package.star", "image_reference", "image_pull_secrets", "image_pull_policy") #@ prepull = [] -#@ if data.values.imagePuller.prePullImages: #@ prepull.append("training-portal") #@ prepull.extend(data.values.imagePuller.prePullImages) -#@ end --- -#@ if prepull: +#@ if data.values.imagePuller.enabled: apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/07-deployments.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-deployments.yaml similarity index 92% rename from carvel-packages/training-platform/bundle/config/11-session-manager/07-deployments.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-deployments.yaml index 03aa8372e..16f233a75 100644 --- a/carvel-packages/training-platform/bundle/config/11-session-manager/07-deployments.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/07-deployments.yaml @@ -39,15 +39,17 @@ spec: drop: ["ALL"] startupProbe: initialDelaySeconds: 15 - periodSeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 successThreshold: 1 failureThreshold: 4 httpGet: path: /healthz?probe=startup port: 8080 livenessProbe: - initialDelaySeconds: 5 - periodSeconds: 5 + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 httpGet: diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/10-secretcopiers.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/10-secretcopiers.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/10-secretcopiers.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/10-secretcopiers.yaml diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/10-secretinjectors.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/10-secretinjectors.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/11-session-manager/10-secretinjectors.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/11-session-manager/10-secretinjectors.yaml diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/overlays.yaml new file mode 100644 index 000000000..b23a44fc7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/overlays.yaml @@ -0,0 +1,36 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" +--- +metadata: + #@overlay/replace via=lambda left, right: "{}-baseline-{}".format(data.values.operator.namePrefix, left) + name: null + +#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" +--- +spec: + rules: + #@overlay/match by=overlay.all,expects="0+" + - match: + any: + #@overlay/match by=overlay.all,expects="0+" + - resources: + #@overlay/match missing_ok=True + namespaceSelector: + #@overlay/match missing_ok=True + matchExpressions: + - key: #@ "training.{}/policy.engine".format(data.values.operator.apiGroup) + operator: In + values: + - kyverno + - key: #@ "training.{}/policy.name".format(data.values.operator.apiGroup) + operator: In + values: + - baseline + - restricted + +#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" +--- +spec: + validationFailureAction: Enforce diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/LICENSE b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/LICENSE similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/LICENSE rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/LICENSE diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml similarity index 91% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml index e1c99cf4f..857a4db84 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -22,6 +22,11 @@ spec: - resources: kinds: - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-path/disallow-host-path.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-path/disallow-host-path.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-path/disallow-host-path.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-path/disallow-host-path.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-process/disallow-host-process.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-process/disallow-host-process.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-host-process/disallow-host-process.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-host-process/disallow-host-process.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-selinux/disallow-selinux.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-selinux/disallow-selinux.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/disallow-selinux/disallow-selinux.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/disallow-selinux/disallow-selinux.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml similarity index 54% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml index ef4b49003..5caf3b398 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/require-ingress-session-name.yaml @@ -15,19 +15,19 @@ spec: - name: session_namespace apiCall: urlPath: "/api/v1/namespaces/{{request.namespace}}" - jmesPath: "metadata.labels.\"training.educates.dev/session.name\" || '@'" + jmesPath: 'metadata.labels."training.educates.dev/session.name" || ''@''' preconditions: all: - - key: "{{ request.operation }}" - operator: AnyIn - value: ["CREATE", "UPDATE"] + - key: "{{ request.operation }}" + operator: AnyIn + value: ["CREATE", "UPDATE"] validate: message: "Ingress host name must embed the workshop session name." foreach: - - list: "request.object.spec.rules" - deny: - conditions: - any: - - key: "{{ contains(element.host, session_namespace) }}" - operator: NotEquals - value: true + - list: "request.object.spec.rules" + deny: + conditions: + any: + - key: "{{ contains(element.host, session_namespace) }}" + operator: NotEquals + value: true diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/LICENSE b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/LICENSE similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/LICENSE rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/LICENSE diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml similarity index 68% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml index 1de484ed8..2aad52b0c 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml @@ -4,9 +4,10 @@ metadata: name: disallow-container-sock-mounts annotations: policies.kyverno.io/title: Disallow CRI socket mounts - policies.kyverno.io/category: Best Practices + policies.kyverno.io/category: Best Practices, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers @@ -18,9 +19,10 @@ spec: rules: - name: validate-docker-sock-mount match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Use of the Docker Unix socket is not allowed." pattern: @@ -30,9 +32,10 @@ spec: path: "!/var/run/docker.sock" - name: validate-containerd-sock-mount match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Use of the Containerd Unix socket is not allowed." pattern: @@ -42,13 +45,27 @@ spec: path: "!/var/run/containerd.sock" - name: validate-crio-sock-mount match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Use of the CRI-O Unix socket is not allowed." pattern: spec: =(volumes): - =(hostPath): - path: "!/var/run/crio.sock" \ No newline at end of file + path: "!/var/run/crio.sock" + - name: validate-dockerd-sock-mount + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Use of the Docker CRI socket is not allowed." + pattern: + spec: + =(volumes): + - =(hostPath): + path: "!/var/run/cri-dockerd.sock" diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml similarity index 87% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml index db74f1646..142f6323d 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow empty Ingress host policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Ingress policies.kyverno.io/description: >- @@ -17,13 +18,15 @@ spec: rules: - name: disallow-empty-ingress-host match: - resources: - kinds: - - Ingress + any: + - resources: + kinds: + - Ingress validate: message: "The Ingress host name must be defined, not empty." deny: conditions: + all: - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}" operator: NotEquals value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}" \ No newline at end of file diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict_node_port/restrict_node_port.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-node-port/restrict-node-port.yaml similarity index 86% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict_node_port/restrict_node_port.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-node-port/restrict-node-port.yaml index ae4ff059b..5c5cfdb21 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict_node_port/restrict_node_port.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-node-port/restrict-node-port.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow NodePort policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service policies.kyverno.io/description: >- @@ -19,11 +20,12 @@ spec: rules: - name: validate-nodeport match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Services of type NodePort are not allowed." pattern: spec: - type: "!NodePort" \ No newline at end of file + =(type): "!NodePort" diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml similarity index 90% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml index 08964030e..4d5fdaa95 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Restrict External IPs policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service policies.kyverno.io/description: >- @@ -18,9 +19,10 @@ spec: rules: - name: check-ips match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "externalIPs are not allowed." pattern: diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx-custom-snippets/disallow-custom-snippets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx-custom-snippets/disallow-custom-snippets.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx_annotation_checks/restrict-annotations.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/restrict-annotations/restrict-annotations.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx_annotation_checks/restrict-annotations.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/restrict-annotations/restrict-annotations.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx_path_checks/restrict-path.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/nginx-ingress/nginx_path_checks/restrict-path.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/disallow_localhost_services/disallow_localhost_services.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/b-d/disallow-localhost-services/disallow-localhost-services.yaml similarity index 89% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/disallow_localhost_services/disallow_localhost_services.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/b-d/disallow-localhost-services/disallow-localhost-services.yaml index 8bcf6292f..0c5123980 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/disallow_localhost_services/disallow_localhost_services.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/b-d/disallow-localhost-services/disallow-localhost-services.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName @@ -17,9 +18,10 @@ spec: rules: - name: no-localhost-service match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Service of type ExternalName cannot point to localhost." pattern: diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/prevent-cr8escape/prevent-cr8escape.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/m-q/prevent-cr8escape/prevent-cr8escape.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/prevent-cr8escape/prevent-cr8escape.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/m-q/prevent-cr8escape/prevent-cr8escape.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/restrict_loadbalancer/restrict_loadbalancer.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/res/restrict-loadbalancer/restrict-loadbalancer.yaml similarity index 90% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/restrict_loadbalancer/restrict_loadbalancer.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/res/restrict-loadbalancer/restrict-loadbalancer.yaml index a9c87ed34..313c774c6 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream/other/restrict_loadbalancer/restrict_loadbalancer.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream/other/res/restrict-loadbalancer/restrict-loadbalancer.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds @@ -19,9 +20,10 @@ spec: rules: - name: no-LoadBalancer match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Service of type LoadBalancer is not allowed." pattern: diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/overlays.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/overlays.yaml similarity index 54% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/overlays.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/overlays.yaml index 7a1ae681e..fb2027bde 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/overlays.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/overlays.yaml @@ -8,7 +8,6 @@ #@overlay/match by=overlay.subset({"kind":"ClusterPolicy", "metadata":{"name": "restrict-seccomp-strict"}}) #@overlay/remove --- - #@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" --- metadata: @@ -19,24 +18,24 @@ metadata: --- spec: rules: - #@overlay/match by=overlay.all,expects="0+" - - match: - any: - #@overlay/match by=overlay.all,expects="0+" - - resources: - #@overlay/match missing_ok=True - namespaceSelector: - matchExpressions: - - key: #@ "training.{}/policy.engine".format(data.values.operator.apiGroup) - operator: In - values: - - kyverno - - key: #@ "training.{}/policy.name".format(data.values.operator.apiGroup) - operator: In - values: - - restricted + #@overlay/match by=overlay.all,expects="0+" + - match: + any: + #@overlay/match by=overlay.all,expects="0+" + - resources: + #@overlay/match missing_ok=True + namespaceSelector: + matchExpressions: + - key: #@ "training.{}/policy.engine".format(data.values.operator.apiGroup) + operator: In + values: + - kyverno + - key: #@ "training.{}/policy.name".format(data.values.operator.apiGroup) + operator: In + values: + - restricted #@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" --- spec: - validationFailureAction: enforce + validationFailureAction: Enforce diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/LICENSE b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/LICENSE similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/LICENSE rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/LICENSE diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml similarity index 97% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index ae09ef9c8..dbc478783 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -38,7 +38,7 @@ spec: all: - key: ALL operator: AnyNotIn - value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" + value: "{{ element.securityContext.capabilities.drop[] || `[]` }}" - name: adding-capabilities-strict match: any: @@ -58,7 +58,7 @@ spec: deny: conditions: all: - - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" operator: AnyNotIn value: - NET_BIND_SERVICE diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml similarity index 100% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml diff --git a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-namespace.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/ns.yaml similarity index 59% rename from carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-namespace.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/ns.yaml index 6f1c957e8..9cde8be39 100644 --- a/carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream/metacontroller-namespace.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/ns.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: metacontroller + name: restrict-voltypes-ns \ No newline at end of file diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml similarity index 91% rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index 8a6ac7cd3..fb8fd35d9 100644 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -24,6 +24,11 @@ spec: - resources: kinds: - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml new file mode 100644 index 000000000..05f2f3f15 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml @@ -0,0 +1,13 @@ +#! Cluster role bindings for the remote access. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: educates-remote-access +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: educates-remote-access +subjects: +- kind: ServiceAccount + name: remote-access + namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml new file mode 100644 index 000000000..b945fded8 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml @@ -0,0 +1,26 @@ +#! Cluster role for the remote access clients. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: educates-remote-access +rules: + - apiGroups: + - training.educates.dev + resources: + - trainingportals + - workshopenvironments + - workshopsessions + - workshopallocations + - workshops + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/secrets.yaml new file mode 100644 index 000000000..7ed512e00 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: remote-access-token + namespace: educates + annotations: + kubernetes.io/service-account.name: remote-access + kapp.k14s.io/change-rule: "upsert after upserting educates/sa-with-separate-token-secret" +type: kubernetes.io/service-account-token diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml new file mode 100644 index 000000000..b31894cb2 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml @@ -0,0 +1,8 @@ +#! ServiceAccount for remote access clients. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: remote-access + namespace: educates + annotations: + kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star new file mode 100644 index 000000000..43f7bc24d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/00-package.star @@ -0,0 +1,55 @@ +load("@ytt:data", "data") +load("@ytt:base64", "base64") +load("@ytt:json", "json") + +def xgetattr(object, path, default=None): + def _lookup(object, key, default=None): + keys = key.split(".") + value = default + for key in keys: + value = getattr(object, key, None) + if value == None: + return default + end + object = value + end + return value + end + + return _lookup(object, path, default) +end + +def image_reference(name): + registry = xgetattr(data.values, "imageRegistry.host", "registry.default.svc.cluster.local") + if xgetattr(data.values, "imageRegistry.namespace", "") != "": + registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) + end + image = "{}/educates-{}:{}".format(registry, name, data.values.version) + for item in data.values.imageVersions: + if item.name == name: + image = item.image + break + end + end + return image +end + +def image_pull_policy(image): + tag = image.split(":") + always = len(tag) <= 1 or tag[-1] in ["latest", "main", "master", "develop"] + return always and "Always" or "IfNotPresent" +end + +#! def image_pull_secrets(): +#! return [item["name"] for item in data.values.clusterSecrets.pullSecretRefs] +#! end +#! +#! def docker_config_json(host, username, password): +#! return json.encode({ +#! "auths": { +#! host: { +#! "auth": base64.encode("{}:{}".format(username, password)) +#! } +#! } +#! }) +#! end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ca-injector.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ca-injector.yaml new file mode 100644 index 000000000..b6e8f517f --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ca-injector.yaml @@ -0,0 +1,40 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Deployment"}) +--- +spec: + template: + spec: + #@ if data.values.caName != None and data.values.caName != "": + #@overlay/match missing_ok=True + initContainers: + - name: ca-trust-store-initialization + image: #@ data.values.workshopBaseImage + imagePullPolicy: #@ data.values.workshopBaseImagePullPolicy + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + runAsUser: 0 + command: + - /opt/eduk8s/sbin/setup-certificates + volumeMounts: + - name: workshop-ca + mountPath: /etc/pki/ca-trust/source/anchors/Cluster_Ingress_CA.pem + subPath: ca.crt + - name: workshop-ca-trust + mountPath: /mnt + containers: + #@overlay/match by="name" + - name: lookup-service + volumeMounts: + - name: workshop-ca-trust + mountPath: /etc/pki/ca-trust + readOnly: true + volumes: + - name: workshop-ca + secret: + secretName: #@ data.values.caName + - name: workshop-ca-trust + emptyDir: {} + #@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml new file mode 100644 index 000000000..9b8d0c701 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-image.yaml @@ -0,0 +1,13 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Deployment"}) +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: lookup-service + image: #@ data.values.image + imagePullPolicy: #@ data.values.imagePullPolicy \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml new file mode 100644 index 000000000..95fd05996 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/overlays.yaml/overlay-ingress.yaml @@ -0,0 +1,15 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Ingress"}) +--- +spec: + rules: + #@overlay/match by=overlay.index(0) + - host: #@ data.values.tld + #@overlay/match missing_ok=True + #@ if/end data.values.certName != None: + tls: + - hosts: + - #@ data.values.tld + secretName: #@ data.values.certName diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml new file mode 100644 index 000000000..9a710104a --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml @@ -0,0 +1,13 @@ +#! Cluster role bindings for the lookup service. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: educates-lookup-service +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: educates-lookup-service +subjects: +- kind: ServiceAccount + name: lookup-service + namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml new file mode 100644 index 000000000..c4ddc10b7 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml @@ -0,0 +1,74 @@ +#! Cluster role for the lookup service application. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: educates-lookup-service +rules: + #! We need ability to watch for changes to CRDs so kopf can tell if its own + #! custom resources have changed. + #! NOTE: Disabled as this results in Educates not being able to be uninstalled + #! when any of the lookup service configuration exists. + #! - apiGroups: + #! - apiextensions.k8s.io + #! resources: + #! - customresourcedefinitions + #! verbs: + #! - get + #! - list + #! - watch + #! We need the ability to watch for namespace changes. This is required by + #! kopf to know when to start and stop watching for changes to the specific + #! namespace is has been told to monitor. + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + #! We need the ability to create events in the application namespace so kopf + #! can log events. + - apiGroups: + - "" + resources: + - events + verbs: + - create + #! We need read/write access to the ClusterConfig, ClientConfig and + #! TenantConfig custom resources from the lookup.educates.dev API group. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs + - clientconfigs + - tenantconfigs + verbs: + - get + - list + - watch + - patch + - update + #! We need update access to the finalizers of the ClusterConfig, ClientConfig + #! and TenantConfig custom resources from the lookup.educates.dev API group so + #! kopf can track deletion. + - apiGroups: + - lookup.educates.dev + resources: + - clusterconfigs/finalizers + - clientconfigs/finalizers + - tenantconfigs/finalizers + verbs: + - update + #! We need read access to the secrets in the application namespace, so we can + #! read the kubeconfig for the managed cluster. This is done as cluster role + #! rather than role against a namespace, as the actual namespace name is + #! configurable and not fixed. + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml new file mode 100644 index 000000000..ed63f69f0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clientconfig.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clientconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: clientconfigs + singular: clientconfig + kind: ClientConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - client + - roles + properties: + client: + type: object + required: + - password + properties: + password: + type: string + minLength: 8 + user: + type: string + roles: + type: array + items: + type: string + minLength: 1 + tenants: + type: array + items: + type: string + minLength: 1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml new file mode 100644 index 000000000..8c0ad3136 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-clusterconfig.yaml @@ -0,0 +1,64 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: clusterconfigs + singular: clusterconfig + kind: ClusterConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Specification of the cluster configuration. + properties: + labels: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + value: + type: string + credentials: + type: object + description: Credentials for the cluster. + required: + - kubeconfig + properties: + kubeconfig: + type: object + properties: + secretRef: + type: object + description: Reference to the secret containing the kubeconfig for the cluster. + required: + - name + properties: + name: + type: string + description: Name of the secret containing the kubeconfig for the cluster. + key: + type: string + description: Key in the secret containing the kubeconfig for the cluster. + default: config + context: + type: string + description: Context in the kubeconfig for the cluster. + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml new file mode 100644 index 000000000..008073bda --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/crd-tenantconfig.yaml @@ -0,0 +1,109 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tenantconfigs.lookup.educates.dev +spec: + scope: Namespaced + group: lookup.educates.dev + names: + plural: tenantconfigs + singular: tenantconfig + kind: TenantConfig + categories: + - educates-lookup + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + clusters: + type: object + properties: + nameSelector: + type: object + required: + - matchNames + properties: + matchNames: + type: array + items: + type: string + labelSelector: + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + type: array + items: + type: string + portals: + type: object + properties: + nameSelector: + type: object + required: + - matchNames + properties: + matchNames: + type: array + items: + type: string + labelSelector: + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + type: array + items: + type: string + status: + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml new file mode 100644 index 000000000..0bfb24220 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/deployments.yaml @@ -0,0 +1,30 @@ +#! Deployment for the lookup service. It will be listening on port 8080. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: lookup-service + namespace: educates +spec: + replicas: 1 + selector: + matchLabels: + app: lookup-service + template: + metadata: + labels: + app: lookup-service + spec: + serviceAccountName: lookup-service + containers: + - name: lookup-service + image: NAME + imagePullPolicy: Always + ports: + - containerPort: 8080 + volumeMounts: + - name: cluster-access-token + mountPath: /opt/cluster-access-token + volumes: + - name: cluster-access-token + secret: + secretName: remote-access-token diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml new file mode 100644 index 000000000..fe30cca6d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/ingresses.yaml @@ -0,0 +1,18 @@ +#! Ingress for the lookup service mapping to the lookup service Service. +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: lookup-service + namespace: educates +spec: + rules: + - host: HOST + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: lookup-service + port: + number: 8080 diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml new file mode 100644 index 000000000..807d973ee --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml @@ -0,0 +1,6 @@ +#! ServiceAccount to run the lookup service application. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: lookup-service + namespace: educates diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml new file mode 100644 index 000000000..c3349b235 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/services.yaml @@ -0,0 +1,13 @@ +#! Service for the lookup service. +apiVersion: v1 +kind: Service +metadata: + name: lookup-service + namespace: educates +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + selector: + app: lookup-service diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml new file mode 100644 index 000000000..085291b34 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/values-schema.yaml @@ -0,0 +1,12 @@ +#@data/values-schema +--- +#! Ingress +tld: "" +certName: "" +#! Custom CA +caName: "" +#! Images +image: "" +imagePullPolicy: "" +workshopBaseImage: "" +workshopBaseImagePullPolicy: "" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/.gitkeep b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/assertions.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/assertions.yaml new file mode 100644 index 000000000..66ac8ffda --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/assertions.yaml @@ -0,0 +1,30 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:assert", "assert") + +#@ if data.values.infraProvider == "custom": + +#! Search deployment args for provider and source flags +#@ providerFound = False +#@ sourceFound = False +#@ for entry in data.values.deployment.args: +#@ if entry.startswith("--provider"): +#@ providerFound = True +#@ end +#@ if entry.startswith("--source"): +#@ sourceFound = True +#@ end +#@ end + +#! Fail to render if provider or source flag are not present +#@ failMessage = "" +#@ if not providerFound: +#@ failMessage += "\n--provider is required in deployment.args to define a DNS provider where records will be created" +#@ end +#@ if not sourceFound: +#@ failMessage += "\n--source is required in deployment.args to query for endpoints" +#@ end +#@ if failMessage != "": +#@ assert.fail("Missing required values:{}".format(failMessage)) +#@ end + +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/defaults.star b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/defaults.star new file mode 100644 index 000000000..a23ca2696 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/defaults.star @@ -0,0 +1,72 @@ +load("@ytt:data", "data") + +def get_default_aws_args(): + args = [ + "--provider=aws", + "--source=service", + "--aws-prefer-cname", + "--aws-zone-match-parent", + "--registry=txt", + "--txt-prefix=txt", + ] + #! These are removed as in AWS we just need the wildcard for the envoy service + #! "--source=ingress", + #! "--source=contour-httpproxy", + + if hasattr(data.values.aws, "args"): + if data.values.aws.args.zone_type: + args.append("--aws-zone-type={}".format(data.values.aws.args.zone_type)) + end + + if data.values.aws.args.policy: + args.append("--policy={}".format(data.values.aws.args.policy)) + end + + if data.values.aws.args.domain_filter: + args.append("--domain-filter={}".format(data.values.aws.args.domain_filter)) + end + + if data.values.aws.args.txt_owner_id: + args.append("--txt-owner-id={}".format(data.values.aws.args.txt_owner_id)) + end + end + + return args +end + +def get_default_google_args(): + args = [ + "--provider=google", + "--source=service", + "--log-format=json", + "--registry=txt", + "--txt-prefix=txt", + ] + #! These are removed as in GCP we just need the wildcard for the envoy service + #! "--source=ingress", + #! "--source=contour-httpproxy", + + if hasattr(data.values.gcp, "args"): + if data.values.gcp.args.zone_visibility: + args.append("--google-zone-visibility={}".format(data.values.gcp.args.zone_visibility)) + end + + if data.values.gcp.args.policy: + args.append("--policy={}".format(data.values.gcp.args.policy)) + end + + if data.values.gcp.args.domain_filter: + args.append("--domain-filter={}".format(data.values.gcp.args.domain_filter)) + end + + if data.values.gcp.args.txt_owner_id: + args.append("--txt-owner-id={}".format(data.values.gcp.args.txt_owner_id)) + end + + if data.values.gcp.args.project: + args.append("--google-project={}".format(data.values.gcp.args.project)) + end + end + + return args +end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-aws.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-aws.yaml new file mode 100644 index 000000000..c687876b3 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-aws.yaml @@ -0,0 +1,65 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("@ytt:base64", "base64") +#@ load("@ytt:assert", "assert") +#@ load("defaults.star", "get_default_aws_args") + +#@ if data.values.infraProvider=="aws": + +#@ (hasAwsCredsAccessKey, _) = assert.try_to(lambda: len(data.values.aws.credentials.accessKey) > 0) +#@ (hasAwsCredsSecretKey, _) = assert.try_to(lambda: len(data.values.aws.credentials.secretKey) > 0) +#@ if (hasAwsCredsSecretKey and not hasAwsCredsAccessKey) or (not hasAwsCredsSecretKey and hasAwsCredsAccessKey): +#@ assert.fail("`aws.credentials.accessKey` and `aws.credentials.secretKey` must both be provided") +#@ end + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: external-dns + #@overlay/replace + args: #@ get_default_aws_args() + +#@ if hasAwsCredsAccessKey and hasAwsCredsSecretKey: + +#! When providing the `aws.credentials` the provider must be `aws` +#@ if "--provider=aws" not in get_default_aws_args(): +#@ assert.fail("Use of `aws.credentials` requires using the aws provider") +#@ end + +--- +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-aws-values + namespace: #@ data.values.namespace +type: Opaque +data: + awsAccessKeyID: #@ base64.encode("{}".format(data.values.aws.credentials.accessKey)) + awsSecretAccessKey: #@ base64.encode("{}".format(data.values.aws.credentials.secretKey)) + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.subset({"name": "external-dns"}) + - env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: external-dns-aws-values + key: awsAccessKeyID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: external-dns-aws-values + key: awsSecretAccessKey +#@ end +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-azure.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-azure.yaml new file mode 100644 index 000000000..9a641b980 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-azure.yaml @@ -0,0 +1,58 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("@ytt:json", "json") +#@ load("@ytt:struct", "struct") +#@ load("@ytt:assert", "assert") + +#@ if data.values.azure: +#@ if data.values.azure.resourceGroup == "": +#@ assert.fail("`data.values.azure.resourceGroup` must be specified") +#@ end +#@ if data.values.azure.tenantId == "": +#@ assert.fail("`data.values.azure.tenantId` must be specified") +#@ end +#@ if data.values.azure.subscriptionId == "": +#@ assert.fail("`data.values.azure.subscriptionId` must be specified") +#@ end +#@ if data.values.azure.useManagedIdentityExtension in [None, False] and data.values.azure.aadClientSecret in [None, ""]: +#@ assert.fail("`data.values.azure.aadClientSecret` must be specified if not using managed identity extension") +#@ end +#@ if data.values.azure.useManagedIdentityExtension in [None, False] and data.values.azure.aadClientId in [None, ""]: +#@ assert.fail("`data.values.azure.aadClientId` must be specified if not using managed identity extension") +#@ end +#@ +#@ json_data = {} +#@ azure_config = data.values.azure +#@ for key in azure_config: +#@ if azure_config[key] != None: +#@ json_data[key] = azure_config[key] +#@ end +#@ end + +--- +apiVersion: v1 +kind: Secret +metadata: + name: azure-config-file + namespace: #@ data.values.namespace +type: Opaque +stringData: + azure.json: #@ json.encode(json_data) + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + volumes: + - name: azure-config-file + secret: + secretName: azure-config-file + containers: + #@overlay/match by=overlay.subset({"name": "external-dns"}) + - volumeMounts: + - name: azure-config-file + mountPath: /etc/kubernetes + readOnly: true +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-clusterrole.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-clusterrole.yaml new file mode 100644 index 000000000..c577a0646 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-clusterrole.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"ClusterRole"}), expects=1 +--- +rules: + #@overlay/append + - apiGroups: ["projectcontour.io"] + resources: ["httpproxies"] + verbs: ["get", "watch", "list"] diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-custom.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-custom.yaml new file mode 100644 index 000000000..13bb54ebe --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-custom.yaml @@ -0,0 +1,28 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@ if data.values.infraProvider=="custom": + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.subset({"name": "external-dns"}) + - name: external-dns + #@overlay/remove + args: + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.subset({"name": "external-dns"}) + - name: external-dns + args: #@ data.values.deployment.args + +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-deployment.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-deployment.yaml new file mode 100644 index 000000000..5bac5c5c0 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-deployment.yaml @@ -0,0 +1,60 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#! First remove upstream configuration, then replace. +#! The initial removal is because the ytt `replace` operator +#! doesn't add any missing keys (a "replace-insert" feature has been requested). +#! To avoid the case when upstream changes occur that add or remove keys, +#! we just remove all of them and then in the next block, add them back in. + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.subset({"name": "external-dns"}) + - + #@overlay/remove + env: + #@overlay/remove + securityContext: + #@overlay/remove + volumeMounts: + #@overlay/remove + volumes: + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + #@overlay/merge missing_ok=True + metadata: + #@overlay/merge missing_ok=True + #@ if/end data.values.deployment.podLabels != None: + labels: #@ data.values.deployment.podLabels + spec: + containers: + #@overlay/match by="name" + - name: external-dns + #@ if/end data.values.deployment.env: + env: #@ data.values.deployment.env + #@ if data.values.deployment.securityContext: + securityContext: #@ data.values.deployment.securityContext + #@ else: + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 65534 + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + #@ end + #@ if/end data.values.deployment.volumeMounts: + volumeMounts: #@ data.values.deployment.volumeMounts + #@ if/end data.values.deployment.volumes: + volumes: #@ data.values.deployment.volumes diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-google.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-google.yaml new file mode 100644 index 000000000..1db094187 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-google.yaml @@ -0,0 +1,30 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ load("@ytt:base64", "base64") +#@ load("@ytt:assert", "assert") +#@ load("defaults.star", "get_default_google_args") + +#@ if data.values.infraProvider=="gcp": + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + containers: + #@overlay/match by="name" + - name: external-dns + #@overlay/replace + args: #@ get_default_google_args() + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +spec: + template: + spec: + nodeSelector: + iam.gke.io/gke-metadata-server-enabled: "true" +#@ end + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-image.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-image.yaml new file mode 100644 index 000000000..fbee27395 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-image.yaml @@ -0,0 +1,15 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "external-dns"}}) +--- +spec: + template: + spec: + containers: + #@overlay/match by=overlay.map_key("name") + - name: external-dns + #@overlay/replace + image: #@ data.values.image.name + #@overlay/match missing_ok=True + imagePullPolicy: #@ data.values.image.pullPolicy \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-ns.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-ns.yaml new file mode 100644 index 000000000..87dc2c24b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-ns.yaml @@ -0,0 +1,27 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@ if/end data.values.createNamespace: +#@overlay/insert +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ data.values.namespace + +#@ deployment=overlay.subset({"kind": "Deployment"}) +#@ sa=overlay.subset({"kind":"ServiceAccount"}) +#@overlay/match by=overlay.or_op(deployment, sa), expects=2 +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ data.values.namespace + +#@overlay/match by=overlay.subset({"kind":"ClusterRoleBinding"}) +--- +subjects: + #@overlay/match by="name" + - name: external-dns + #@overlay/match missing_ok=True + namespace: #@ data.values.namespace + diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-serviceaccount.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-serviceaccount.yaml new file mode 100644 index 000000000..432b86f45 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/overlays/overlay-serviceaccount.yaml @@ -0,0 +1,9 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@overlay/match by=overlay.subset({"kind":"ServiceAccount", "metadata":{"name":"external-dns"}}) +#@overlay/match-child-defaults missing_ok=True +--- +metadata: + #@ if/end data.values.serviceaccount.annotations: + annotations: #@ data.values.serviceaccount.annotations diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrole.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrole.yaml new file mode 100644 index 000000000..5bcc705b4 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-dns +rules: + - apiGroups: [''] + resources: ['endpoints', 'pods', 'services'] + verbs: ['get', 'watch', 'list'] + - apiGroups: ['extensions'] + resources: ['ingresses'] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get","watch","list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["watch", "list"] diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrolebinding.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrolebinding.yaml new file mode 100644 index 000000000..f50cfba77 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: + - kind: ServiceAccount + name: external-dns + namespace: default diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-deployment.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-deployment.yaml new file mode 100644 index 000000000..989587b61 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns +spec: + strategy: + type: Recreate + selector: + matchLabels: + app: external-dns + template: + metadata: + labels: + app: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: registry.k8s.io/external-dns/external-dns + args: + - --source=service + - --source=ingress + - --registry=txt diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-serviceaccount.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-serviceaccount.yaml new file mode 100644 index 000000000..5b022409b --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream/external-dns-serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/values-schema.yaml new file mode 100644 index 000000000..110a3ddf1 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/values-schema.yaml @@ -0,0 +1,136 @@ +#! schema.yaml + +#@ def example_args(): +- --source=service +- --txt-owner-id=k8s +- --domain-filter=k8s.example.org +- --namespace=tanzu-system-service-discovery +- --provider=rfc2136 +- --rfc2136-host=100.69.97.77 +- --rfc2136-port=53 +- --rfc2136-zone=k8s.example.org +- --rfc2136-tsig-secret=MTlQs3NNU= +- --rfc2136-tsig-secret-alg=hmac-sha256 +- --rfc2136-tsig-keyname=externaldns-key +- --rfc2136-tsig-axfr +#@ end + +#@ def example_values(): +--- +namespace: tanzu-system-service-discovery +deployment: + args: #@ example_args() + env: [] + securityContext: {} + volumeMounts: [] + volumes: [] +serviceaccount: + annotations: + key: value +#@ end + +#@data/values-schema +#@schema/title "external-dns values schema" +#@schema/desc "OpenAPIv3 Schema for external-dns" +#@schema/examples ("Example of external-dns values", example_values()[0]) +--- +#@schema/desc "Infrastructure provider for the underlying infrastructure" +#@schema/validation one_of=["aws", "azure", "gcp", "custom"] +infraProvider: "custom" +#@schema/desc "The namespace in which to deploy ExternalDNS" +namespace: external-dns +#@schema/desc "Create/delete the namespace ExternalDNS is deployed to when the package is installed/uninstalled" +createNamespace: true +#@schema/desc "Image version to use for the ExternalDNS container" +image: + name: "registry.k8s.io/external-dns/external-dns:v0.14.2" + pullPolicy: "IfNotPresent" +#@schema/desc "Deployment related configuration" +deployment: + #@schema/desc "List of arguments passed via command-line to external-dns. For more guidance on configuration options for your desired DNS provider, consult the ExternalDNS docs at https://github.com/kubernetes-sigs/external-dns#running-externaldns." + #@schema/examples ("Example for rfc2136", example_args()) + args: [""] + #@schema/desc "List of environment variables to set in the external-dns container." + #@schema/nullable + env: + - name: "" + value: "" + #@schema/type any=True + valueFrom: null + #@schema/desc "SecurityContext defines the security options the external-dns container should be run with. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + #@schema/type any=True + securityContext: null + #@schema/desc "Pod volumes to mount into the external-dns container's filesystem." + #@schema/nullable + volumeMounts: + #@schema/type any=True + - null + #@schema/desc "List of volumes that can be mounted by containers belonging to the external-dns pod. More info: https://kubernetes.io/docs/concepts/storage/volumes" + #@schema/nullable + volumes: + #@schema/type any=True + - null + #@schema/desc "Labels to be added to all deployment pods" + #@schema/type any=True + podLabels: null +#@schema/desc "Service account related configuration" +serviceaccount: + #@schema/desc "Annotations that can be set on the external-dns service account. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/" + #@schema/type any=True + annotations: null + +#@schema/desc "AWS provider related configuration" +#@schema/nullable +aws: + #@schema/nullable + credentials: + #@schema/desc "AWS access key. When provided along with the aws.secretKey, a Secret will be created and referenced in the external-dns Deployment." + accessKey: "" + #@schema/desc "AWS secret key. When provided along with the aws.accessKey, a Secret will be created and referenced in the external-dns Deployment." + secretKey: "" + args: + zone_type: "public" + policy: "upsert-only" + domain_filter: "" + txt_owner_id: "educates" + +#@schema/desc "Azure configuration. Package will create azure.json Secret, Volume, and VolumeMount with supplied values." +#@schema/nullable +azure: + #@schema/desc "AAD Client ID" + #@schema/nullable + aadClientId: "" + #@schema/desc "AAD Client Secret" + #@schema/nullable + aadClientSecret: "" + #@schema/desc "Cloud" + #@schema/nullable + cloud: "" + #@schema/desc "Resource Group" + resourceGroup: "" + #@schema/desc "Subscription ID" + subscriptionId: "" + #@schema/desc "Tenant ID" + tenantId: "" + #@schema/desc "Use manaaged identity extension" + #@schema/nullable + useManagedIdentityExtension: false + #@schema/desc "User Assigned Identity ID" + #@schema/nullable + userAssignedIdentityID: "" + +#@schema/desc "gcp provider related configuration" +#@schema/nullable +gcp: + #! #@schema/nullable + #! credentials: + #! #@schema/desc "AWS access key. When provided along with the aws.secretKey, a Secret will be created and referenced in the external-dns Deployment." + #! accessKey: "" + #! #@schema/desc "AWS secret key. When provided along with the aws.accessKey, a Secret will be created and referenced in the external-dns Deployment." + #! secretKey: "" + args: + project: "" + zone_visibility: "public" + policy: "upsert-only" + domain_filter: "" + txt_owner_id: "educates" diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream/release.yml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream/release.yml new file mode 100644 index 000000000..277cba020 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream/release.yml @@ -0,0 +1,2700 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kapp-controller +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kapp-controller-packaging-global +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.data.packaging.carvel.dev +spec: + group: data.packaging.carvel.dev + groupPriorityMinimum: 100 + service: + name: packaging-api + namespace: kapp-controller + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: v1 +kind: Service +metadata: + name: packaging-api + namespace: kapp-controller +spec: + ports: + - name: main + port: 443 + protocol: TCP + targetPort: api + - name: metrics + port: 8080 + protocol: TCP + targetPort: metrics + selector: + app: kapp-controller +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: internalpackagemetadatas.internal.packaging.carvel.dev +spec: + group: internal.packaging.carvel.dev + names: + kind: InternalPackageMetadata + listKind: InternalPackageMetadataList + plural: internalpackagemetadatas + singular: internalpackagemetadata + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + categories: + description: Classifiers of the package (optional; Array of strings) + items: + type: string + type: array + displayName: + description: Human friendly name of the package (optional; string) + type: string + iconSVGBase64: + description: Base64 encoded icon (optional; string) + type: string + longDescription: + description: Long description of the package (optional; string) + type: string + maintainers: + description: List of maintainer info for the package. Currently only + supports the name key. (optional; array of maintner info) + items: + properties: + name: + type: string + type: object + type: array + providerName: + description: Name of the entity distributing the package (optional; + string) + type: string + shortDescription: + description: Short desription of the package (optional; string) + type: string + supportDescription: + description: Description of the support available for the package + (optional; string) + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: internalpackages.internal.packaging.carvel.dev +spec: + group: internal.packaging.carvel.dev + names: + kind: InternalPackage + listKind: InternalPackageList + plural: internalpackages + singular: internalpackage + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + capacityRequirementsDescription: + description: 'System requirements needed to install the package. Note: + these requirements will not be verified by kapp-controller on installation. + (optional; string)' + type: string + includedSoftware: + description: IncludedSoftware can be used to show the software contents + of a Package. This is especially useful if the underlying versions + do not match the Package version + items: + description: IncludedSoftware contains the underlying Software Contents + of a Package + properties: + description: + type: string + displayName: + type: string + version: + type: string + type: object + type: array + kappControllerVersionSelection: + description: KappControllerVersionSelection specifies the versions + of kapp-controller which can install this package + properties: + constraints: + type: string + type: object + kubernetesVersionSelection: + description: KubernetesVersionSelection specifies the versions of + k8s which this package can be installed on + properties: + constraints: + type: string + type: object + licenses: + description: Description of the licenses that apply to the package + software (optional; Array of strings) + items: + type: string + type: array + refName: + description: The name of the PackageMetadata associated with this + version Must be a valid PackageMetadata name (see PackageMetadata + CR for details) Cannot be empty + type: string + releaseNotes: + description: Version release notes (optional; string) + type: string + releasedAt: + description: Timestamp of release (iso8601 formatted string; optional) + format: date-time + nullable: true + type: string + template: + properties: + spec: + properties: + canceled: + description: Cancels current and future reconciliations (optional; + default=false) + type: boolean + cluster: + description: Specifies that app should be deployed to destination + cluster; by default, cluster is same as where this resource + resides (optional; v0.5.0+) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig + (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster + (optional) + type: string + type: object + defaultNamespace: + description: Specifies the default namespace to install the + App resources, by default this is same as the App's namespace + (optional; v0.48.0+) + type: string + deploy: + items: + properties: + kapp: + description: Use kapp to deploy resources + properties: + delete: + description: Configuration for delete command (optional) + properties: + rawOptions: + description: Pass through options to kapp delete + (optional) + items: + type: string + type: array + type: object + inspect: + description: 'Configuration for inspect command + (optional) as of kapp-controller v0.31.0, inspect + is disabled by default add rawOptions or use an + empty inspect config like `inspect: {}` to enable' + properties: + rawOptions: + description: Pass through options to kapp inspect + (optional) + items: + type: string + type: array + type: object + intoNs: + description: Override namespace for all resources + (optional) + type: string + mapNs: + description: Provide custom namespace override mapping + (optional) + items: + type: string + type: array + rawOptions: + description: Pass through options to kapp deploy + (optional) + items: + type: string + type: array + type: object + type: object + type: array + fetch: + items: + properties: + git: + description: Uses git to clone repository + properties: + forceHTTPBasicAuth: + description: Force the usage of HTTP Basic Auth + when Basic Auth is provided (optional) + type: boolean + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the + name of the remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to + an explicit ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed + keys: ssh-privatekey, ssh-knownhosts, username, + password (optional) (if ssh-knownhosts is not + specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + helmChart: + description: Uses helm fetch to fetch specified chart + properties: + name: + description: 'Example: stable/redis' + type: string + repository: + properties: + secretRef: + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + url: + description: Repository url; scheme of oci:// + will fetch experimental helm oci chart (v0.19.0+) + (required) + type: string + type: object + version: + type: string + type: object + http: + description: Uses http library to fetch file + properties: + secretRef: + description: 'Secret to provide auth details (optional) + Secret may include one or more keys: username, + password' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following + formats: text, tgz, zip http and https url are + supported; plain file, tgz and tar types are supported + (required)' + type: string + type: object + image: + description: Pulls content from Docker/OCI registry + properties: + secretRef: + description: 'Secret may include one or more keys: + username, password, token. By default anonymous + access is used for authentication.' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag + (optional; v0.24.0+) if specified, do not include + a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, + or digest references supported (required) Example: + username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry + (v0.17.0+) + properties: + image: + description: Docker image url; unqualified, tagged, + or digest references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: + username, password, token. By default anonymous + access is used for authentication.' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag + (optional; v0.24.0+) if specified, do not include + a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pulls content from within this resource; + or other resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their + content; not recommended for sensitive values + as CR is not encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config + maps; data values are recommended to be placed + in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + path: + description: Relative path to place the fetched artifacts + type: string + type: object + type: array + noopDelete: + description: Deletion requests for the App will result in + the App CR being deleted, but its associated resources will + not be deleted (optional; default=false; v0.18.0+) + type: boolean + paused: + description: Pauses _future_ reconciliation; does _not_ affect + currently running reconciliation (optional; default=false) + type: boolean + serviceAccountName: + description: Specifies that app should be deployed authenticated + via given service account, found in this namespace (optional; + v0.6.0+) + type: string + syncPeriod: + description: Specifies the length of time to wait, in time + + unit format, before reconciling. Always >= 30s. If value + below 30s is specified, 30s will be used. (optional; v0.9.0+; + default=30s) + type: string + template: + items: + properties: + cue: + properties: + inputExpression: + description: Cue expression for single path component, + can be used to unify ValuesFrom into a given field + (optional) + type: string + outputExpression: + description: Cue expression to output, default will + export all visible fields (optional) + type: string + paths: + description: Explicit list of files/directories + (optional) + items: + type: string + type: array + valuesFrom: + description: Provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + helmTemplate: + description: Use helm template command to render helm + chart + properties: + kubernetesAPIs: + description: 'Optional: Use kubernetes group/versions + resources available in the live cluster' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get Kubernetes version, + defaults (empty) to retrieving the version from + the cluster. Can be manually overridden to a value + instead.' + properties: + version: + type: string + type: object + name: + description: Set name explicitly, default is App + CR's name (optional; v0.13.0+) + type: string + namespace: + description: Set namespace explicitly, default is + App CR's namespace (optional; v0.13.0+) + type: string + path: + description: Path to chart (optional; v0.13.0+) + type: string + valuesFrom: + description: One or more secrets, config maps, paths + that provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + jsonnet: + description: TODO implement jsonnet + type: object + kbld: + description: Use kbld to resolve image references to + use digests + properties: + paths: + items: + type: string + type: array + type: object + kustomize: + description: TODO implement kustomize + type: object + sops: + description: Use sops to decrypt *.sops.yml files (optional; + v0.11.0+) + properties: + age: + properties: + privateKeysSecretRef: + description: Secret with private armored PGP + private keys (required) + properties: + name: + type: string + type: object + type: object + paths: + description: Lists paths to decrypt explicitly (optional; + v0.13.0+) + items: + type: string + type: array + pgp: + description: Use PGP to decrypt files (required) + properties: + privateKeysSecretRef: + description: Secret with private armored PGP + private keys (required) + properties: + name: + type: string + type: object + type: object + type: object + ytt: + description: Use ytt to template configuration + properties: + fileMarks: + description: Control metadata about input files + passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ + for more details + items: + type: string + type: array + ignoreUnknownComments: + description: Ignores comments that ytt doesn't recognize + (optional; default=false) + type: boolean + inline: + description: Specify additional files, including + data values (optional) + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their + content; not recommended for sensitive values + as CR is not encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and + config maps; data values are recommended to + be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + paths: + description: Lists paths to provide to ytt explicitly + (optional) + items: + type: string + type: array + strict: + description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md + (optional; default=false) + type: boolean + valuesFrom: + description: Provide values via ytt's --data-values-file + (optional; v0.19.0-alpha.9) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + type: object + type: array + type: object + required: + - spec + type: object + valuesSchema: + description: valuesSchema can be used to show template values that + can be configured by users when a Package is installed in an OpenAPI + schema format. + properties: + openAPIv3: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + version: + description: Package version; Referenced by PackageInstall; Must be + valid semver (required) Cannot be empty + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: apps.kappctrl.k14s.io +spec: + group: kappctrl.k14s.io + names: + categories: + - carvel + kind: App + listKind: AppList + plural: apps + singular: app + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + - description: Last time app started being deployed. Does not mean anything was + changed. + jsonPath: .status.deploy.startedAt + name: Since-Deploy + type: date + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'An App is a set of Kubernetes resources. These resources could + span any number of namespaces or could be cluster-wide (e.g. CRDs). An App + is represented in kapp-controller using a App CR. The App CR comprises of + three main sections: spec.fetch – declare source for fetching configuration + and OCI images spec.template – declare templating tool and values spec.deploy + – declare deployment tool and any deploy specific configuration' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canceled: + description: Cancels current and future reconciliations (optional; + default=false) + type: boolean + cluster: + description: Specifies that app should be deployed to destination + cluster; by default, cluster is same as where this resource resides + (optional; v0.5.0+) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster (optional) + type: string + type: object + defaultNamespace: + description: Specifies the default namespace to install the App resources, + by default this is same as the App's namespace (optional; v0.48.0+) + type: string + deploy: + items: + properties: + kapp: + description: Use kapp to deploy resources + properties: + delete: + description: Configuration for delete command (optional) + properties: + rawOptions: + description: Pass through options to kapp delete (optional) + items: + type: string + type: array + type: object + inspect: + description: 'Configuration for inspect command (optional) + as of kapp-controller v0.31.0, inspect is disabled by + default add rawOptions or use an empty inspect config + like `inspect: {}` to enable' + properties: + rawOptions: + description: Pass through options to kapp inspect (optional) + items: + type: string + type: array + type: object + intoNs: + description: Override namespace for all resources (optional) + type: string + mapNs: + description: Provide custom namespace override mapping (optional) + items: + type: string + type: array + rawOptions: + description: Pass through options to kapp deploy (optional) + items: + type: string + type: array + type: object + type: object + type: array + fetch: + items: + properties: + git: + description: Uses git to clone repository + properties: + forceHTTPBasicAuth: + description: Force the usage of HTTP Basic Auth when Basic + Auth is provided (optional) + type: boolean + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the name of + the remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to an explicit + ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed keys: ssh-privatekey, + ssh-knownhosts, username, password (optional) (if ssh-knownhosts + is not specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + helmChart: + description: Uses helm fetch to fetch specified chart + properties: + name: + description: 'Example: stable/redis' + type: string + repository: + properties: + secretRef: + properties: + name: + description: Object is expected to be within same + namespace + type: string + type: object + url: + description: Repository url; scheme of oci:// will fetch + experimental helm oci chart (v0.19.0+) (required) + type: string + type: object + version: + type: string + type: object + http: + description: Uses http library to fetch file + properties: + secretRef: + description: 'Secret to provide auth details (optional) + Secret may include one or more keys: username, password' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following formats: + text, tgz, zip http and https url are supported; plain + file, tgz and tar types are supported (required)' + type: string + type: object + image: + description: Pulls content from Docker/OCI registry + properties: + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, or + digest references supported (required) Example: username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+) + properties: + image: + description: Docker image url; unqualified, tagged, or digest + references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pulls content from within this resource; or other + resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not encrypted + (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config maps; + data values are recommended to be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + path: + description: Relative path to place the fetched artifacts + type: string + type: object + type: array + noopDelete: + description: Deletion requests for the App will result in the App + CR being deleted, but its associated resources will not be deleted + (optional; default=false; v0.18.0+) + type: boolean + paused: + description: Pauses _future_ reconciliation; does _not_ affect currently + running reconciliation (optional; default=false) + type: boolean + serviceAccountName: + description: Specifies that app should be deployed authenticated via + given service account, found in this namespace (optional; v0.6.0+) + type: string + syncPeriod: + description: Specifies the length of time to wait, in time + unit + format, before reconciling. Always >= 30s. If value below 30s is + specified, 30s will be used. (optional; v0.9.0+; default=30s) + type: string + template: + items: + properties: + cue: + properties: + inputExpression: + description: Cue expression for single path component, can + be used to unify ValuesFrom into a given field (optional) + type: string + outputExpression: + description: Cue expression to output, default will export + all visible fields (optional) + type: string + paths: + description: Explicit list of files/directories (optional) + items: + type: string + type: array + valuesFrom: + description: Provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + helmTemplate: + description: Use helm template command to render helm chart + properties: + kubernetesAPIs: + description: 'Optional: Use kubernetes group/versions resources + available in the live cluster' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get Kubernetes version, defaults + (empty) to retrieving the version from the cluster. Can + be manually overridden to a value instead.' + properties: + version: + type: string + type: object + name: + description: Set name explicitly, default is App CR's name + (optional; v0.13.0+) + type: string + namespace: + description: Set namespace explicitly, default is App CR's + namespace (optional; v0.13.0+) + type: string + path: + description: Path to chart (optional; v0.13.0+) + type: string + valuesFrom: + description: One or more secrets, config maps, paths that + provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + jsonnet: + description: TODO implement jsonnet + type: object + kbld: + description: Use kbld to resolve image references to use digests + properties: + paths: + items: + type: string + type: array + type: object + kustomize: + description: TODO implement kustomize + type: object + sops: + description: Use sops to decrypt *.sops.yml files (optional; + v0.11.0+) + properties: + age: + properties: + privateKeysSecretRef: + description: Secret with private armored PGP private + keys (required) + properties: + name: + type: string + type: object + type: object + paths: + description: Lists paths to decrypt explicitly (optional; + v0.13.0+) + items: + type: string + type: array + pgp: + description: Use PGP to decrypt files (required) + properties: + privateKeysSecretRef: + description: Secret with private armored PGP private + keys (required) + properties: + name: + type: string + type: object + type: object + type: object + ytt: + description: Use ytt to template configuration + properties: + fileMarks: + description: Control metadata about input files passed to + ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ + for more details + items: + type: string + type: array + ignoreUnknownComments: + description: Ignores comments that ytt doesn't recognize + (optional; default=false) + type: boolean + inline: + description: Specify additional files, including data values + (optional) + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not + encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config + maps; data values are recommended to be placed in + secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files + found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files + found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + paths: + description: Lists paths to provide to ytt explicitly (optional) + items: + type: string + type: array + strict: + description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md + (optional; default=false) + type: boolean + valuesFrom: + description: Provide values via ytt's --data-values-file + (optional; v0.19.0-alpha.9) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + type: object + type: array + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + consecutiveReconcileFailures: + type: integer + consecutiveReconcileSuccesses: + type: integer + deploy: + properties: + error: + type: string + exitCode: + type: integer + finished: + type: boolean + kapp: + description: KappDeployStatus contains the associated AppCR deployed + resources + properties: + associatedResources: + description: AssociatedResources contains the associated App + label, namespaces and GKs + properties: + groupKinds: + items: + description: GroupKind specifies a Group and a Kind, + but does not force a version. This is useful for + identifying concepts during lookup stages without + having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + label: + type: string + namespaces: + items: + type: string + type: array + type: object + type: object + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + fetch: + properties: + error: + type: string + exitCode: + type: integer + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + friendlyDescription: + type: string + inspect: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + managedAppName: + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + template: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + updatedAt: + format: date-time + type: string + type: object + usefulErrorMessage: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packageinstalls.packaging.carvel.dev +spec: + group: packaging.carvel.dev + names: + categories: + - carvel + kind: PackageInstall + listKind: PackageInstallList + plural: packageinstalls + shortNames: + - pkgi + singular: packageinstall + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: PackageMetadata name + jsonPath: .spec.packageRef.refName + name: Package name + type: string + - description: PackageMetadata version + jsonPath: .status.version + name: Package version + type: string + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Package Install is an actual installation of a package and + its underlying resources on a Kubernetes cluster. It is represented in kapp-controller + by a PackageInstall CR. A PackageInstall CR must reference a Package CR. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canceled: + description: Canceled when set to true will stop all active changes + type: boolean + cluster: + description: Specifies that Package should be deployed to destination + cluster; by default, cluster is same as where this resource resides + (optional) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster (optional) + type: string + type: object + defaultNamespace: + description: Specifies the default namespace to install the Package + resources, by default this is same as the PackageInstall namespace + (optional; v0.48.0+) + type: string + noopDelete: + description: When NoopDelete set to true, PackageInstall deletion + should delete PackageInstall/App CR but preserve App's associated + resources. + type: boolean + packageRef: + description: Specifies the name of the package to install (required) + properties: + refName: + type: string + versionSelection: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + paused: + description: Paused when set to true will ignore all pending changes, + once it set back to false, pending changes will be applied + type: boolean + serviceAccountName: + description: Specifies service account that will be used to install + underlying package contents + type: string + syncPeriod: + description: Controls frequency of App reconciliation in time + unit + format. Always >= 30s. If value below 30s is specified, 30s will + be used. + type: string + values: + description: Values to be included in package's templating step (currently + only included in the first templating step) (optional) + items: + properties: + secretRef: + properties: + key: + type: string + name: + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + friendlyDescription: + type: string + lastAttemptedVersion: + description: LastAttemptedVersion specifies what version was last + attempted to be installed. It does _not_ indicate it was successfully + installed. + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + usefulErrorMessage: + type: string + version: + description: TODO this is desired resolved version (not actually deployed) + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + packaging.carvel.dev/global-namespace: kapp-controller-packaging-global + name: packagerepositories.packaging.carvel.dev +spec: + group: packaging.carvel.dev + names: + categories: + - carvel + kind: PackageRepository + listKind: PackageRepositoryList + plural: packagerepositories + shortNames: + - pkgr + singular: packagerepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A package repository is a collection of packages and their metadata. + Similar to a maven repository or a rpm repository, adding a package repository + to a cluster gives users of that cluster the ability to install any of the + packages from that repository. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + fetch: + properties: + git: + description: Uses git to clone repository containing package list + properties: + forceHTTPBasicAuth: + description: Force the usage of HTTP Basic Auth when Basic + Auth is provided (optional) + type: boolean + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the name of the + remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to an explicit + ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed keys: ssh-privatekey, + ssh-knownhosts, username, password (optional) (if ssh-knownhosts + is not specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + http: + description: Uses http library to fetch file containing packages + properties: + secretRef: + description: 'Secret to provide auth details (optional) Secret + may include one or more keys: username, password' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following formats: text, + tgz, zip http and https url are supported; plain file, tgz + and tar types are supported (required)' + type: string + type: object + image: + description: Image url; unqualified, tagged, or digest references + supported (required) + properties: + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, or digest + references supported (required) Example: username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry + properties: + image: + description: Docker image url; unqualified, tagged, or digest + references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pull content from within this resource; or other + resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not encrypted + (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config maps; + data values are recommended to be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + type: object + paused: + description: Paused when set to true will ignore all pending changes, + once it set back to false, pending changes will be applied + type: boolean + syncPeriod: + description: Controls frequency of PackageRepository reconciliation + type: string + required: + - fetch + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + consecutiveReconcileFailures: + type: integer + consecutiveReconcileSuccesses: + type: integer + deploy: + properties: + error: + type: string + exitCode: + type: integer + finished: + type: boolean + kapp: + description: KappDeployStatus contains the associated AppCR deployed + resources + properties: + associatedResources: + description: AssociatedResources contains the associated App + label, namespaces and GKs + properties: + groupKinds: + items: + description: GroupKind specifies a Group and a Kind, + but does not force a version. This is useful for + identifying concepts during lookup stages without + having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + label: + type: string + namespaces: + items: + type: string + type: array + type: object + type: object + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + fetch: + properties: + error: + type: string + exitCode: + type: integer + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + friendlyDescription: + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + template: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + updatedAt: + format: date-time + type: string + type: object + usefulErrorMessage: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kapp-controller.carvel.dev/version: v0.52.0 + kbld.k14s.io/images: | + - origins: + - local: + path: /home/runner/work/kapp-controller/kapp-controller + - git: + dirty: true + remoteURL: https://github.com/carvel-dev/kapp-controller + sha: e081d6a54fe54a7cb1874bf25998dfb832c53cad + tags: + - v0.52.0 + url: ghcr.io/carvel-dev/kapp-controller@sha256:b83bd139c42777bb4428c2ae421f93675a7d6147dff3147471d1be112d9c1eec + name: kapp-controller + namespace: kapp-controller +spec: + replicas: 1 + revisionHistoryLimit: 0 + selector: + matchLabels: + app: kapp-controller + template: + metadata: + labels: + app: kapp-controller + spec: + containers: + - args: + - -packaging-global-namespace=kapp-controller-packaging-global + - -enable-api-priority-and-fairness=True + - -tls-cipher-suites= + env: + - name: KAPPCTRL_MEM_TMP_DIR + value: /etc/kappctrl-mem-tmp + - name: KAPPCTRL_SIDECAREXEC_SOCK + value: /etc/kappctrl-mem-tmp/sidecarexec.sock + - name: KAPPCTRL_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KAPPCTRL_API_PORT + value: "8443" + image: ghcr.io/carvel-dev/kapp-controller@sha256:b83bd139c42777bb4428c2ae421f93675a7d6147dff3147471d1be112d9c1eec + name: kapp-controller + ports: + - containerPort: 8443 + name: api + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + requests: + cpu: 120m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/kappctrl-mem-tmp + name: template-fs + - mountPath: /home/kapp-controller + name: home + - args: + - --sidecarexec + env: + - name: KAPPCTRL_SIDECAREXEC_SOCK + value: /etc/kappctrl-mem-tmp/sidecarexec.sock + - name: IMGPKG_ACTIVE_KEYCHAINS + value: gke,aks,ecr + image: ghcr.io/carvel-dev/kapp-controller@sha256:b83bd139c42777bb4428c2ae421f93675a7d6147dff3147471d1be112d9c1eec + name: kapp-controller-sidecarexec + resources: + requests: + cpu: 120m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/kappctrl-mem-tmp + name: template-fs + - mountPath: /home/kapp-controller + name: home + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: empty-sa + serviceAccount: kapp-controller-sa + volumes: + - emptyDir: + medium: Memory + name: template-fs + - emptyDir: + medium: Memory + name: home + - emptyDir: {} + name: empty-sa +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kapp-controller-cluster-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - kappctrl.k14s.io + resources: + - apps + - apps/status + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packageinstalls + - packageinstalls/status + - packageinstalls/finalizers + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packagerepositories + - packagerepositories/status + verbs: + - '*' +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackagemetadatas + verbs: + - '*' +- apiGroups: + - data.packaging.carvel.dev + resources: + - packagemetadatas + - packagemetadatas/status + verbs: + - '*' +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackages + verbs: + - '*' +- apiGroups: + - data.packaging.carvel.dev + resources: + - packages + - packages/status + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - update + - get +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kapp-controller-user-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - kappctrl.k14s.io + resources: + - apps + - apps/status + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packageinstalls + - packageinstalls/status + - packageinstalls/finalizers + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packagerepositories + - packagerepositories/status + verbs: + - get + - list + - watch +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackagemetadatas + verbs: + - get + - list + - watch +- apiGroups: + - data.packaging.carvel.dev + resources: + - packagemetadatas + - packagemetadatas/status + verbs: + - get + - list + - watch +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackages + verbs: + - get + - list + - watch +- apiGroups: + - data.packaging.carvel.dev + resources: + - packages + - packages/status + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kapp-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kapp-controller-cluster-role +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pkg-apiserver:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pkgserver-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/values-schema.yaml new file mode 100644 index 000000000..913cfa07d --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/values-schema.yaml @@ -0,0 +1,5 @@ +#@data/values-schema +--- +#! No configuration supported. We need to add this to the schema to avoid errors +#@schema/nullable +namespace: "" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kyverno/upstream/install.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kyverno/upstream/install.yaml new file mode 100644 index 000000000..29bc1d3bf --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kyverno/upstream/install.yaml @@ -0,0 +1,42389 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-background-controller + namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-cleanup-controller + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-cleanup-jobs + namespace: kyverno + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-reports-controller + namespace: kyverno + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kyverno + namespace: kyverno + labels: + app.kubernetes.io/component: config + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +data: + enableDefaultRegistryMutation: "true" + defaultRegistry: "docker.io" + generateSuccessEvents: "false" + excludeGroups: "system:nodes" + resourceFilters: >- + [*/*,kyverno,*] + [Event,*,*] + [*/*,kube-system,*] + [*/*,kube-public,*] + [*/*,kube-node-lease,*] + [Node,*,*] + [Node/*,*,*] + [APIService,*,*] + [APIService/*,*,*] + [TokenReview,*,*] + [SubjectAccessReview,*,*] + [SelfSubjectAccessReview,*,*] + [Binding,*,*] + [Pod/binding,*,*] + [ReplicaSet,*,*] + [ReplicaSet/*,*,*] + [AdmissionReport,*,*] + [AdmissionReport/*,*,*] + [ClusterAdmissionReport,*,*] + [ClusterAdmissionReport/*,*,*] + [BackgroundScanReport,*,*] + [BackgroundScanReport/*,*,*] + [ClusterBackgroundScanReport,*,*] + [ClusterBackgroundScanReport/*,*,*] + [ClusterRole,*,kyverno:admission-controller] + [ClusterRole,*,kyverno:admission-controller:core] + [ClusterRole,*,kyverno:admission-controller:additional] + [ClusterRole,*,kyverno:background-controller] + [ClusterRole,*,kyverno:background-controller:core] + [ClusterRole,*,kyverno:background-controller:additional] + [ClusterRole,*,kyverno:cleanup-controller] + [ClusterRole,*,kyverno:cleanup-controller:core] + [ClusterRole,*,kyverno:cleanup-controller:additional] + [ClusterRole,*,kyverno:reports-controller] + [ClusterRole,*,kyverno:reports-controller:core] + [ClusterRole,*,kyverno:reports-controller:additional] + [ClusterRoleBinding,*,kyverno:admission-controller] + [ClusterRoleBinding,*,kyverno:background-controller] + [ClusterRoleBinding,*,kyverno:cleanup-controller] + [ClusterRoleBinding,*,kyverno:reports-controller] + [ServiceAccount,kyverno,kyverno-admission-controller] + [ServiceAccount/*,kyverno,kyverno-admission-controller] + [ServiceAccount,kyverno,kyverno-background-controller] + [ServiceAccount/*,kyverno,kyverno-background-controller] + [ServiceAccount,kyverno,kyverno-cleanup-controller] + [ServiceAccount/*,kyverno,kyverno-cleanup-controller] + [ServiceAccount,kyverno,kyverno-reports-controller] + [ServiceAccount/*,kyverno,kyverno-reports-controller] + [Role,kyverno,kyverno:admission-controller] + [Role,kyverno,kyverno:background-controller] + [Role,kyverno,kyverno:cleanup-controller] + [Role,kyverno,kyverno:reports-controller] + [RoleBinding,kyverno,kyverno:admission-controller] + [RoleBinding,kyverno,kyverno:background-controller] + [RoleBinding,kyverno,kyverno:cleanup-controller] + [RoleBinding,kyverno,kyverno:reports-controller] + [ConfigMap,kyverno,kyverno] + [ConfigMap,kyverno,kyverno-metrics] + [Deployment,kyverno,kyverno-admission-controller] + [Deployment/*,kyverno,kyverno-admission-controller] + [Deployment,kyverno,kyverno-background-controller] + [Deployment/*,kyverno,kyverno-background-controller] + [Deployment,kyverno,kyverno-cleanup-controller] + [Deployment/*,kyverno,kyverno-cleanup-controller] + [Deployment,kyverno,kyverno-reports-controller] + [Deployment/*,kyverno,kyverno-reports-controller] + [Pod,kyverno,kyverno-admission-controller-*] + [Pod/*,kyverno,kyverno-admission-controller-*] + [Pod,kyverno,kyverno-background-controller-*] + [Pod/*,kyverno,kyverno-background-controller-*] + [Pod,kyverno,kyverno-cleanup-controller-*] + [Pod/*,kyverno,kyverno-cleanup-controller-*] + [Pod,kyverno,kyverno-reports-controller-*] + [Pod/*,kyverno,kyverno-reports-controller-*] + [Job,kyverno,kyverno-hook-pre-delete] + [Job/*,kyverno,kyverno-hook-pre-delete] + [NetworkPolicy,kyverno,kyverno-admission-controller] + [NetworkPolicy/*,kyverno,kyverno-admission-controller] + [NetworkPolicy,kyverno,kyverno-background-controller] + [NetworkPolicy/*,kyverno,kyverno-background-controller] + [NetworkPolicy,kyverno,kyverno-cleanup-controller] + [NetworkPolicy/*,kyverno,kyverno-cleanup-controller] + [NetworkPolicy,kyverno,kyverno-reports-controller] + [NetworkPolicy/*,kyverno,kyverno-reports-controller] + [PodDisruptionBudget,kyverno,kyverno-admission-controller] + [PodDisruptionBudget/*,kyverno,kyverno-admission-controller] + [PodDisruptionBudget,kyverno,kyverno-background-controller] + [PodDisruptionBudget/*,kyverno,kyverno-background-controller] + [PodDisruptionBudget,kyverno,kyverno-cleanup-controller] + [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller] + [PodDisruptionBudget,kyverno,kyverno-reports-controller] + [PodDisruptionBudget/*,kyverno,kyverno-reports-controller] + [Service,kyverno,kyverno-svc] + [Service/*,kyverno,kyverno-svc] + [Service,kyverno,kyverno-svc-metrics] + [Service/*,kyverno,kyverno-svc-metrics] + [Service,kyverno,kyverno-background-controller-metrics] + [Service/*,kyverno,kyverno-background-controller-metrics] + [Service,kyverno,kyverno-cleanup-controller] + [Service/*,kyverno,kyverno-cleanup-controller] + [Service,kyverno,kyverno-cleanup-controller-metrics] + [Service/*,kyverno,kyverno-cleanup-controller-metrics] + [Service,kyverno,kyverno-reports-controller-metrics] + [Service/*,kyverno,kyverno-reports-controller-metrics] + [ServiceMonitor,kyverno,kyverno-admission-controller] + [ServiceMonitor,kyverno,kyverno-background-controller] + [ServiceMonitor,kyverno,kyverno-cleanup-controller] + [ServiceMonitor,kyverno,kyverno-reports-controller] + [Secret,kyverno,kyverno-svc.kyverno.svc.*] + [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] + webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kyverno-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: config + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +data: + namespaces: "{\"exclude\":[],\"include\":[]}" + bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30" +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: admissionreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: AdmissionReport + listKind: AdmissionReportList + plural: admissionreports + shortNames: + - admr + singular: admissionreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.summary.pass + name: PASS + type: integer + - jsonPath: .spec.summary.fail + name: FAIL + type: integer + - jsonPath: .spec.summary.warn + name: WARN + type: integer + - jsonPath: .spec.summary.error + name: ERROR + type: integer + - jsonPath: .spec.summary.skip + name: SKIP + type: integer + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] + name: GVR + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] + name: REF + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] + name: AGGREGATE + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: AdmissionReport is the Schema for the AdmissionReports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: backgroundscanreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: BackgroundScanReport + listKind: BackgroundScanReportList + plural: backgroundscanreports + shortNames: + - bgscanr + singular: backgroundscanreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: BackgroundScanReport is the Schema for the BackgroundScanReports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: cleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: CleanupPolicy + listKind: CleanupPolicyList + plural: cleanuppolicies + shortNames: + - cleanpol + singular: cleanuppolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2alpha1 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusteradmissionreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterAdmissionReport + listKind: ClusterAdmissionReportList + plural: clusteradmissionreports + shortNames: + - cadmr + singular: clusteradmissionreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.summary.pass + name: PASS + type: integer + - jsonPath: .spec.summary.fail + name: FAIL + type: integer + - jsonPath: .spec.summary.warn + name: WARN + type: integer + - jsonPath: .spec.summary.error + name: ERROR + type: integer + - jsonPath: .spec.summary.skip + name: SKIP + type: integer + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] + name: GVR + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] + name: REF + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] + name: AGGREGATE + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + owner: + description: Owner is a reference to the report owner (e.g. a Deployment, + Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. + type: boolean + controller: + description: If true, this reference points to the managing controller. + type: boolean + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + x-kubernetes-map-type: atomic + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + required: + - owner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterbackgroundscanreports.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterBackgroundScanReport + listKind: ClusterBackgroundScanReportList + plural: clusterbackgroundscanreports + shortNames: + - cbgscanr + singular: clusterbackgroundscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.ownerReferences[0].apiVersion + name: ApiVersion + type: string + - jsonPath: .metadata.ownerReferences[0].kind + name: Kind + type: string + - jsonPath: .metadata.ownerReferences[0].name + name: Subject + type: string + - jsonPath: .spec.summary.pass + name: Pass + type: integer + - jsonPath: .spec.summary.fail + name: Fail + type: integer + - jsonPath: .spec.summary.warn + name: Warn + type: integer + - jsonPath: .spec.summary.error + name: Error + type: integer + - jsonPath: .spec.summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] + name: Hash + priority: 1 + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for + the policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for + the policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked + Kubernetes resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule + execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within + the policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not + be evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not + selected for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clustercleanuppolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterCleanupPolicy + listKind: ClusterCleanupPolicyList + plural: clustercleanuppolicies + shortNames: + - ccleanpol + singular: clustercleanuppolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v2alpha1 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterPolicy + listKind: ClusterPolicyList + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Deprecated. Policy metrics are available via the metrics + endpoint + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: |- + Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". + type: boolean + rules: + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources.\n- 'variables' - Map of composited + variables, from its name to its lazily evaluated + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are + escaped according to the following rules when + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting + elements in `Y` are appended, retaining their + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of + Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set of Attestor + used to specify a more complex set of match + authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates used + to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one or more public + keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is used + to validate SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips transparency + log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. + properties: + celPreconditions: + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. + type: string + name: + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + uid: + description: UID specifies the resource uid. + type: string + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. + type: string + key: + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. + type: string + value: + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. + type: object + match: + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + order: + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ + x-kubernetes-preserve-unknown-fields: true + skipBackgroundRequests: + default: true + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. + type: boolean + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. + type: string + valueExpression: + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the\n request resource.\n\n\nThe `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"}\n - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." + type: string + message: + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". + type: string + messageExpression: + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" + type: string + reason: + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". + Required. + type: string + kind: + description: |- + Kind is the API kind the resources belong to. + Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. + type: string + namespace: + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. + type: string + parameterNotFoundAction: + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` + type: string + selector: + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. + type: string + url: + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more + complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, + is used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and + sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. + items: + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities). + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested + set of Attestor used to specify + a more complex set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates. + properties: + cert: + description: Cert is an optional + PEM-encoded public certificate. + type: string + certChain: + description: CertChain is an + optional PEM encoded set of + certificates used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address. + type: string + type: object + keys: + description: Keys specifies one + or more public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if + set, is used to validate + SCTs against a custom + source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog + skips transparency log + verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + Rekor log instance https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha224, + sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. + items: + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. + properties: + all: + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested set + of Attestor used to specify a more complex + set of match authorities. + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates. + properties: + cert: + description: Cert is an optional PEM-encoded + public certificate. + type: string + certChain: + description: CertChain is an optional + PEM encoded set of certificates + used to verify. + type: string + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address. + type: string + type: object + keys: + description: Keys specifies one or more + public keys. + properties: + ctlog: + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. + properties: + ignoreSCT: + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. + type: boolean + pubkey: + description: PubKey, if set, is + used to validate SCTs against + a custom source. + type: string + type: object + kms: + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md + type: string + publicKeys: + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + ignoreTlog: + description: IgnoreTlog skips + transparency log verification. + type: boolean + pubkey: + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public Rekor log instance + https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha224, sha256, sha384 and sha512. + type: string + type: object + repository: + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry. + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry. + type: boolean + providers: + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. + type: boolean + repository: + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule. + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policyexceptions.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: PolicyException + listKind: PolicyExceptionList + plural: policyexceptions + shortNames: + - polex + singular: policyexception + scope: Namespaced + versions: + - deprecated: true + name: v2alpha1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: false + - name: v2beta1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified + policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception + is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource + applies to the exception + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". + type: string + names: + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: updaterequests.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: UpdateRequest + listKind: UpdateRequestList + plural: updaterequests + shortNames: + - ur + singular: updaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterpolicyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kyverno-crds + app.kubernetes.io/version: 3.1.5 + helm.sh/chart: crds-3.1.5 + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + type: string + - jsonPath: .scope.name + name: Name + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. + format: int32 + type: integer + seconds: + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + scopeSelector: + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:admission-controller + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:admission-controller:core + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - list + - watch + - apiGroups: + - kyverno.io + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + - updaterequests + - updaterequests/status + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:core + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - kyverno.io + resources: + - policies + - clusterpolicies + - policyexceptions + - updaterequests + - updaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + resources: + - namespaces + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + - networkpolicies + verbs: + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + - secrets + - resourcequotas + - limitranges + verbs: + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cleanup-controller:core + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - clustercleanuppolicies + - cleanuppolicies + verbs: + - list + - watch + - apiGroups: + - kyverno.io + resources: + - clustercleanuppolicies/status + - cleanuppolicies/status + verbs: + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno-cleanup-jobs + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + verbs: + - list + - deletecollection + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:admin:policies + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:view:policies + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:admin:policyreports + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:view:policyreports + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:admin:reports + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:view:reports + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:admin:updaterequests + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:view:updaterequests + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:reports-controller:core + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:admission-controller + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:admission-controller +subjects: + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:background-controller +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:cleanup-controller +subjects: +- kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno-cleanup-jobs + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno-cleanup-jobs +subjects: + - kind: ServiceAccount + name: kyverno-cleanup-jobs + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:reports-controller +subjects: +- kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + # Allow update of Kyverno deployment annotations + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-background-controller + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - apiGroups: + - '' + resources: + - secrets + verbs: + - delete + - get + - list + - update + - watch + resourceNames: + - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca + - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-cleanup-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + - get + - patch + - update + resourceNames: + - kyverno-reports-controller +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:admission-controller +subjects: + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:background-controller +subjects: + - kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:cleanup-controller +subjects: + - kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:reports-controller +subjects: + - kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-svc + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-svc-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-background-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-cleanup-controller + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-cleanup-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-reports-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-admission-controller + initContainers: + - name: kyverno-pre + image: "ghcr.io/kyverno/kyvernopre:v1.11.5" + imagePullPolicy: IfNotPresent + args: + - --loggingFormat=text + - --v=2 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-admission-controller + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_DEPLOYMENT + value: kyverno-admission-controller + - name: KYVERNO_SVC + value: kyverno-svc + containers: + - name: kyverno + image: "ghcr.io/kyverno/kyverno:v1.11.5" + imagePullPolicy: IfNotPresent + args: + - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca + - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair + - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller + - --servicePort=443 + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --admissionReports=true + - --autoUpdateWebhooks=true + - --enableConfigMapCaching=true + - --enableDeferredLoading=true + - --dumpPayload=false + - --forceFailurePolicyIgnore=false + - --generateValidatingAdmissionPolicy=false + - --loggingFormat=text + - --v=2 + - --enablePolicyException=true + - --protectManagedResources=false + - --allowInsecureRegistry=false + - --registryCredentialHelpers=default,google,amazon,azure,github + resources: + limits: + memory: 384Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics-port + protocol: TCP + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-admission-controller + - name: KYVERNO_SVC + value: kyverno-svc + - name: TUF_ROOT + value: /.sigstore + - name: KYVERNO_DEPLOYMENT + value: kyverno-admission-controller + startupProbe: + failureThreshold: 20 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 2 + periodSeconds: 6 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /.sigstore + name: sigstore + volumes: + - name: sigstore + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-background-controller + namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - background-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-background-controller + containers: + - name: controller + image: "ghcr.io/kyverno/background-controller:v1.11.5" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --enableConfigMapCaching=true + - --enableDeferredLoading=true + - --loggingFormat=text + - --v=2 + - --enablePolicyException=true + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-background-controller + - name: KYVERNO_DEPLOYMENT + value: kyverno-background-controller + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-cleanup-controller + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - cleanup-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-cleanup-controller + containers: + - name: controller + image: "ghcr.io/kyverno/cleanup-controller:v1.11.5" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca + - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair + - --servicePort=443 + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --enableDeferredLoading=true + - --dumpPayload=false + - --loggingFormat=text + - --v=2 + - --ttlReconciliationInterval=1m + env: + - name: KYVERNO_DEPLOYMENT + value: kyverno-cleanup-controller + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-cleanup-controller + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_SVC + value: kyverno-cleanup-controller + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 20 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 2 + periodSeconds: 6 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-reports-controller + namespace: kyverno + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - reports-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-reports-controller + containers: + - name: controller + image: "ghcr.io/kyverno/reports-controller:v1.11.5" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --admissionReports=true + - --aggregateReports=true + - --policyReports=true + - --validatingAdmissionPolicyReports=false + - --backgroundScan=true + - --backgroundScanWorkers=2 + - --backgroundScanInterval=1h + - --skipResourceFilters=true + - --enableConfigMapCaching=true + - --enableDeferredLoading=true + - --loggingFormat=text + - --v=2 + - --enablePolicyException=true + - --reportsChunkSize=1000 + - --allowInsecureRegistry=false + - --registryCredentialHelpers=default,google,amazon,azure,github + env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-reports-controller + - name: KYVERNO_DEPLOYMENT + value: kyverno-reports-controller + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: /.sigstore + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /.sigstore + name: sigstore + volumes: + - name: sigstore + emptyDir: {} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kyverno-cleanup-admission-reports + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + schedule: "*/10 * * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + spec: + serviceAccountName: kyverno-cleanup-jobs + containers: + - name: cleanup + image: "bitnami/kubectl:1.28.5" + imagePullPolicy: + command: + - /bin/sh + - -c + - | + COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l) + if [ "$COUNT" -gt 10000 ]; then + echo "too many reports found ($COUNT), cleaning up..." + kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' + else + echo "($COUNT) reports found, no clean up needed" + fi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kyverno-cleanup-cluster-admission-reports + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.11.5 +spec: + schedule: "*/10 * * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + spec: + serviceAccountName: kyverno-cleanup-jobs + containers: + - name: cleanup + image: "bitnami/kubectl:1.28.5" + imagePullPolicy: + command: + - /bin/sh + - -c + - | + COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l) + if [ "$COUNT" -gt 10000 ]; then + echo "too many reports found ($COUNT), cleaning up..." + kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' + else + echo "($COUNT) reports found, no clean up needed" + fi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: OnFailure diff --git a/carvel-packages/installer/bundle/config/ytt/config.yaml b/carvel-packages/installer/bundle/config/ytt/config.yaml new file mode 100644 index 000000000..6e5aba887 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/config.yaml @@ -0,0 +1,51 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:library", "library") +#@ load("@ytt:template", "template") +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:struct", "struct") +#@ load("@ytt:yaml", "yaml") +#@ load("functions/kapp-annotations.lib.yaml", "addKappAnnotations") + +#@ orderedPackagesList = [ +#@ "cert-manager", +#@ "contour", +#@ "external-dns", +#@ "certs", +#@ "kyverno", +#@ "kapp-controller", +#@ "educates" +#@ ] + +#@ def getOverlaysFromLibrary(): +#@ if hasattr(data.values.clusterInfrastructure, "provider"): +#@ infra = "infrastructure/" + data.values.clusterInfrastructure.provider +#@ return library.get(infra).with_data_values(data.values).eval() +#@ end +#@ end + +#@ overlayedValues = data.values +#@ for overlayToApply in getOverlaysFromLibrary(): +#@ overlayedValues = struct.encode(yaml.decode(yaml.encode(overlay.apply(overlayedValues, overlayToApply)))) +#@ end + +#! TODO: Here would be nice to calculate all the certificate specifics and then pass them to the overlayedValues + +#@ if data.values.debug: +--- #@ overlayedValues +#@ else: +#@ for name in orderedPackagesList: #! overlayedValues.clusterPackages: +#@ package = overlayedValues.clusterPackages[name] +#@ packagePath = "packages/" + name +#@ packageValues = package.settings +#@ if package.enabled: +--- #@ template.replace(overlay.apply(library.get(packagePath).with_data_values(packageValues).eval(), addKappAnnotations(name, overlayedValues, orderedPackagesList))) +#@ end +#@ end + +#@ allInfo = struct.make(config=data.values, values=overlayedValues) +#@ if overlayedValues.clusterPackages["educates"].enabled: +--- #@ template.replace(overlay.apply(library.get("config").with_data_values(allInfo).eval(), addKappAnnotations("educates", overlayedValues, orderedPackagesList))) +#@ else: +--- #@ template.replace(overlay.apply(library.get("config").with_data_values(allInfo).eval())) +#@ end +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/functions/kapp-annotations.lib.yaml b/carvel-packages/installer/bundle/config/ytt/functions/kapp-annotations.lib.yaml new file mode 100644 index 000000000..e2f76a5ea --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/functions/kapp-annotations.lib.yaml @@ -0,0 +1,49 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@ def addKappAnnotations(packageName, valuesToApply, orderedPackagesList): + +#@ activatedPackagesList = [] +#@ for name in orderedPackagesList: +#@ if name in valuesToApply.clusterPackages: +#@ package = valuesToApply.clusterPackages[name] +#@ if package.enabled == True: +#@ activatedPackagesList.append(name) +#@ end +#@ end +#@ end + +#@ index = activatedPackagesList.index(packageName) +#@ if index == 0: +#@ prev = None +#@ else: +#@ prev = activatedPackagesList[index - 1] +#@ end +#@ if index == len(activatedPackagesList) - 1: +#@ next = None +#@ else: +#@ next = activatedPackagesList[index + 1] +#@ end + +#@overlay/match by=lambda i,l,r: "metadata" in l,expects="0+" +--- +metadata: + #@overlay/match missing_ok=True + annotations: + #@overlay/match missing_ok=True + educates.dev/infra-provider: #@ data.values.clusterInfrastructure.provider + #@overlay/match missing_ok=True + kapp.k14s.io/disable-original: "" + #@overlay/match missing_ok=True + kapp.k14s.io/change-group.package: #@ "educates-installer/{}".format(packageName) + #@overlay/match missing_ok=True + kapp.k14s.io/change-group.global: #@ "educates-installer" + #@ if prev!=None: + #@overlay/match missing_ok=True + kapp.k14s.io/change-rule.insert: #@ "upsert after upserting educates-installer/{}".format(prev) + #@ end + #@ if next!=None: + #@overlay/match missing_ok=True + kapp.k14s.io/change-rule.delete: #@ "delete after deleting educates-installer/{}".format(next) + #@ end +#@ end diff --git a/carvel-packages/installer/bundle/config/ytt/schema-rules.star b/carvel-packages/installer/bundle/config/ytt/schema-rules.star new file mode 100644 index 000000000..5ea1c1a4c --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/schema-rules.star @@ -0,0 +1,69 @@ +load("@ytt:assert", "assert") + +def custom_requires_clusterPackages(val): + if val["clusterPackages"] == None: + return fail("clusterPackages must be defined when provider is custom") + end +end + +def custom_requires_one_enabled_Package(val): + for package in val["clusterPackages"]: + if val["clusterPackages"][package] != None and val["clusterPackages"][package]["enabled"] == True: + return True + end + end + fail("At least one package needs to be enabled for custom provider") +end + +validation_custom = [ + custom_requires_clusterPackages, + custom_requires_one_enabled_Package +] + +def validate_custom(val): + if val["clusterInfrastructure"]["provider"] == "custom": + for function in validation_custom: + function(val) + end + end + return True +end + +def validate_domain(val): + #! Domain not validated for custom infrastructure provider + if val["clusterInfrastructure"]["provider"] == "custom": + return True + end + + #! Domain provided at top level + if val["clusterIngress"] != None and \ + val["clusterIngress"]["domain"] != None: + return True + end + + #! Domain provided at clusterPackage level + val, err = assert.try_to(lambda: val["clusterPackages"]["educates"]["settings"]["clusterIngress"]["domain"]) + if val != None: + return True + end + + #! Domain is not required if educates is not enabled + enabled, err = assert.try_to(lambda: val["clusterPackages"]["educates"]["enabled"]) + if not enabled: + return True + end + + fail("clusterIngress.domain for educates needs to be provided") +end + +validation_functions = [ + validate_custom, + validate_domain +] + +def validate_all(val): + for function in validation_functions: + function(val) + end + return True +end diff --git a/carvel-packages/installer/bundle/config/ytt/values-schema.yaml b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml new file mode 100644 index 000000000..1416df174 --- /dev/null +++ b/carvel-packages/installer/bundle/config/ytt/values-schema.yaml @@ -0,0 +1,323 @@ +#@ load("schema-rules.star", "validate_all") + +#@data/values-schema +#@schema/validation ("Error validating config", validate_all) +--- +debug: false +#@schema/nullable +clusterPackages: + #@schema/nullable + contour: + enabled: true + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + cert-manager: + enabled: false + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + external-dns: + enabled: false + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + certs: + enabled: false + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + kyverno: + enabled: true + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + kapp-controller: + enabled: false + #@schema/nullable + #@schema/type any=True + settings: {} + #@schema/nullable + educates: + enabled: true + #@schema/nullable + #@schema/type any=True + settings: {} +#@schema/title "Cluster Infrastructure" +#@schema/desc "Configuration for the cluster infrastructure" +clusterInfrastructure: + #! NOT IMPLEMENTED: "azure", "gke-autopilot", "minikube" + #! TODO: Implement validators. e.g. when kind is selected, clusterIngress.domain is required. + #@schema/validation one_of=["eks", "gke", "kind", "custom", "vcluster", "generic"] + provider: "custom" + #@schema/nullable + #@schema/validation not_null=True, when=lambda _, ctx: ctx.root["clusterInfrastructure"]["provider"] == "eks" + #@schema/title "AWS specific configuration" + #@schema/desc "AWS specific configuration to use when provider is set to eks" + aws: + #@schema/title "AWS Region" + #@schema/desc "AWS Region where the cluster exists. This is needed for cert-manager's cluster issuer, when cert-manager is installed" + #@schema/validation ("region is required for aws based providers",lambda v: len(v) >= 1) + region: "" + #@schema/title "Route53 configuration" + #@schema/desc "Route53 configuration for the AWS account. This will be used by external-dns to manage DNS records" + #@schema/nullable + route53: + #@schema/title "Route53 HostedZone" + #@schema/desc "Route53 HostedZone to use. When not provided, external-dns will be provided with clusterIngress.domain" + #@schema/validation ("route53.hostedZone is required for aws based providers",lambda v: len(v) >= 1) + hostedZone: "" + #@schema/title "AWS IAM IRSA Roles" + #@schema/desc "AWS IAM IRSA Roles for external-dns and cert-manager" + irsaRoles: + #@schema/example "arn:aws:iam::MY_IAM:role/external-dns" + #@schema/validation ("irsaRole for external-dns is required for aws based providers",lambda v: len(v) >= 1) + external-dns: "" + #@schema/example "arn:aws:iam::MY_IAM:role/cert-manager" + #@schema/validation ("irsaRole for cert-manager is required for aws based providers",lambda v: len(v) >= 1) + cert-manager: "" + #@schema/nullable + #@schema/validation not_null=True, when=lambda _, ctx: ctx.root["clusterInfrastructure"]["provider"] == "gcp" + #@schema/title "GCP specific configuration" + #@schema/desc "GCP specific configuration to use when provider is set to gke" + gcp: + #@schema/title "GCP project" + #@schema/desc "GCP project where the cluster exists" + #@schema/validation ("project is required for gcp based providers",lambda v: len(v) >= 1) + project: "" + #@schema/title "CloudDNS configuration" + #@schema/desc "CloudDNS configuration for the GCP project. This will be used by external-dns to manage DNS records" + #@schema/nullable + cloudDNS: + #@schema/title "CloudDNS zone" + #@schema/desc "CloudDNS zone to use. When not provided, external-dns will be provided with clusterIngress.domain" + #@schema/validation ("cloudDNS.zone is required for gcp based providers",lambda v: len(v) >= 1) + zone: "" + #@schema/title "GCP IAM WorkloadIdentities" + #@schema/desc "GCP IAM WorkloadIdentities for external-dns and cert-manager" + workloadIdentity: + #@schema/example "external-dns@my-project.iam.gserviceaccount.com" + #@schema/validation ("workloadIdentity for external-dns is required for gcp based providers",lambda v: len(v) >= 1) + external-dns: "" + #@schema/example "cert-manager@my-project.iam.gserviceaccount.com" + #@schema/validation ("workloadIdentity for cert-manager is required for gcp based providers",lambda v: len(v) >= 1) + cert-manager: "" + #@schema/title "CA Certificate" + #@schema/desc "CA Certificates to inject to the cluster. When provider is set to kind it'll configure cert-manager to generate certs. CA Issuers must be configured with a certificate (tls.crt) and private key (tls.key) stored in the Kubernetes secret" + #@schema/nullable + caCertificateRef: + #@schema/validation min_len=1 + namespace: "" + #@schema/validation min_len=1 + name: "" +#!--------- educates installation schema +#@schema/nullable +localKindCluster: + listenAddress: "" + apiServer: + address: "" + port: 6443 + volumeMounts: + - hostPath: "" + containerPath: "" + readOnly: false +#@schema/nullable +localDNSResolver: + targetAddress: "" + extraDomains: + - "" +#!--------- educates training platform schema +#! NOTE: https://github.com/jorgemoralespou/educates-training-platform/blob/develop/carvel-packages/training-platform/bundle/config/00-schema.yaml#L21C1-L33 +#! This is only so that the images generates are loaded from this registry. There's a pre-proccesing step that will generate a images file +#! so that this is not needed to be provided by the user. +#@schema/nullable +imageRegistry: + #@schema/nullable + #@schema/validation min_len=1 + host: "" + namespace: "" +#@schema/nullable +version: "" +#@schema/nullable +imageVersions: + - name: "" + image: "" +#@schema/nullable +clusterRuntime: + #@schema/nullable + class: "" +clusterIngress: + #@schema/nullable + domain: "" + #@schema/nullable + class: "" + #@schema/nullable + protocol: "" + #@schema/nullable + tlsCertificate: + #@schema/validation min_len=1 + tls.crt: "" + #@schema/validation min_len=1 + tls.key: "" + #@schema/nullable + tlsCertificateRef: + #@schema/validation min_len=1 + namespace: "" + #@schema/validation min_len=1 + name: "" + #! This seems to only be needed for provided certificates that are signed by a local CA, + #! which means that you need to provide the tlsCertificate as well + #@schema/nullable + caCertificate: + #@schema/validation min_len=1 + ca.crt: "" + #! This seems to only be needed for provided certificates that are signed by a local CA, + #! which means that you need to provide the tlsCertificate as well + #@schema/nullable + caCertificateRef: + #@schema/validation min_len=1 + namespace: "" + #@schema/validation min_len=1 + name: "" + #@schema/nullable + caNodeInjector: + enabled: false +#@schema/nullable +sessionCookies: + domain: "" +#@schema/nullable +clusterStorage: + #@schema/nullable + class: "" + #@schema/nullable + user: 0 + #@schema/nullable + group: 1 +#@schema/nullable +clusterSecrets: + pullSecretRefs: + - namespace: "" + name: "" +#! This element is not nullable so that kyverno is the default +clusterSecurity: + #@schema/validation one_of=["pod-security-policies", "pod-security-standards", "security-context-constraints", "kyverno", "none"] + policyEngine: "kyverno" +#! This element is not nullable so that kyverno is the default +workshopSecurity: + #@schema/validation one_of=["kyverno", "none"] + rulesEngine: "kyverno" +#@schema/nullable +trainingPortal: + #@schema/nullable + credentials: + #@schema/nullable + admin: + #@schema/validation min_len=1 + username: "educates" + #@schema/validation min_len=1 + password: "" + #@schema/nullable + robot: + #@schema/validation min_len=1 + username: "robot@educates" + #@schema/validation min_len=1 + password: "" + #@schema/nullable + clients: + robot: + #@schema/validation min_len=1 + id: "" + #@schema/validation min_len=1 + secret: "" +#@schema/nullable +dockerDaemon: + #@schema/nullable + networkMTU: 1400 + #@schema/nullable + proxyCache: + #@schema/validation min_len=1 + remoteURL: "" + #@schema/nullable + username: "" + #@schema/nullable + password: "" +#@schema/nullable +clusterNetwork: + #@schema/default ["169.254.169.254/32", "fd00:ec2::254/128"] + blockCIDRs: + - "" +#@schema/nullable +workshopAnalytics: + #@schema/nullable + google: + #@schema/validation min_len=1 + trackingId: "" + #@schema/nullable + clarity: + #@schema/validation min_len=1 + trackingId: "" + #@schema/nullable + amplitude: + #@schema/validation min_len=1 + trackingId: "" + #@schema/nullable + webhook: + #@schema/validation min_len=1 + url: "" +#@schema/nullable +websiteStyling: + #@schema/nullable + workshopDashboard: + #@schema/nullable + html: "" + #@schema/nullable + script: "" + #@schema/nullable + style: "" + #@schema/nullable + workshopInstructions: + #@schema/nullable + html: "" + #@schema/nullable + script: "" + #@schema/nullable + style: "" + #@schema/nullable + workshopStarted: + html: "" + #@schema/nullable + workshopFinished: + html: "" + #@schema/nullable + trainingPortal: + html: "" + #@schema/nullable + script: "" + #@schema/nullable + style: "" + #@schema/nullable + defaultTheme: "" + #@schema/nullable + themeDataRefs: + - name: "" + namespace: "" + #@schema/nullable + frameAncestors: + - "" +#@schema/nullable +imagePuller: + enabled: true + #@schema/default ["base-environment"] + prePullImages: + #@schema/validation min_len=1 + - "" +#@schema/nullable +lookupService: + enabled: false + #@schema/nullable + ingressPrefix: "educates-api" \ No newline at end of file diff --git a/carvel-packages/installer/bundle/kbld/kbld-bundle.yaml b/carvel-packages/installer/bundle/kbld/kbld-bundle.yaml new file mode 100644 index 000000000..9b09231ca --- /dev/null +++ b/carvel-packages/installer/bundle/kbld/kbld-bundle.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kbld.k14s.io/v1alpha1 +minimumRequiredVersion: 0.30.0 +kind: Config +searchRules: + - keyMatcher: + name: SESSION_MANAGER_IMAGE + - keyMatcher: + name: SECRETS_MANAGER_IMAGE + - keyMatcher: + name: TUNNEL_MANAGER_IMAGE + - keyMatcher: + name: TRAINING_PORTAL_IMAGE + - keyMatcher: + name: DOCKER_IN_DOCKER_IMAGE + - keyMatcher: + name: DOCKER_REGISTRY_IMAGE + - keyMatcher: + name: PAUSE_CONTAINER_IMAGE + - keyMatcher: + name: BASE_ENVIRONMENT_IMAGE + - keyMatcher: + name: JDK8_ENVIRONMENT_IMAGE + - keyMatcher: + name: JDK11_ENVIRONMENT_IMAGE + - keyMatcher: + name: CONDA_ENVIRONMENT_IMAGE diff --git a/carvel-packages/installer/config/app.yaml b/carvel-packages/installer/config/app.yaml new file mode 100644 index 000000000..fe222431c --- /dev/null +++ b/carvel-packages/installer/config/app.yaml @@ -0,0 +1,71 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:yaml", "yaml") + +#@ def bundle_reference(): +#@ registry = data.values.imageRegistry.host +#@ if not registry or registry == "localhost:5001": +#@ registry = "registry.default.svc.cluster.local" +#@ end +#@ if data.values.imageRegistry.namespace: +#@ registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) +#@ end +#@ return "{}/educates-installer:{}".format(registry, data.values.version) +#@ end + +#! This configmap provides interoperability between the kapp-controller installation and +#! the educates CLI installation, by preconfiguring the label kapp-controller's App will use to +#! be the same as the one used by the educates CLI. +#! The name of the configmap will be the same as the App, but with `.app` appended. +#! The `spec` needs `labelKey` and `labelValue` fields to be set. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + kapp.k14s.io/is-app: "" + annotations: + kapp.k14s.io/app-changes-use-app-label: "" + name: installer.educates.dev.app + namespace: educates-installer +data: + spec: '{"labelKey":"installer","labelValue":"educates-installer.app"}' +--- +apiVersion: kappctrl.k14s.io/v1alpha1 +kind: App +metadata: + name: installer.educates.dev + namespace: educates-installer +spec: + serviceAccountName: educates-installer + syncPeriod: 87600h #! 10 years + fetch: + - imgpkgBundle: + image: #@ bundle_reference() + path: bundle + - inline: + paths: + disable-kapp-controller.yaml: | + clusterPackages: + kapp-controller: + enabled: false + path: values + template: + - ytt: + valuesFrom: + - path: "bundle/kbld/kbld-images.yaml" + - secretRef: + name: educates-installer + - path: values/disable-kapp-controller.yaml + paths: + - "bundle/kbld/kbld-bundle.yaml" + - "bundle/config/kapp" + - "bundle/config/ytt" + - kbld: + paths: + - "bundle/.imgpkg/images.yml" + - "-" + deploy: + - kapp: + rawOptions: + - "--app-changes-max-to-keep=0" + #! - "--diff-changes=true" diff --git a/carvel-packages/installer/config/images.yaml b/carvel-packages/installer/config/images.yaml new file mode 100644 index 000000000..936c91716 --- /dev/null +++ b/carvel-packages/installer/config/images.yaml @@ -0,0 +1,59 @@ +#@ load("@ytt:data", "data") + +#@ def image_reference(name): +#@ registry = data.values.imageRegistry.host +#@ if not registry: +#@ registry = "localhost:5001" +#@ end +#@ if data.values.imageRegistry.namespace: +#@ registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) +#@ end +#@ return "{}/educates-{}:{}".format(registry, name, data.values.version) +#@ end + +--- +imageVersions: + - name: session-manager + image: #@ image_reference("session-manager") + - name: training-portal + image: #@ image_reference("training-portal") + - name: docker-registry + image: #@ image_reference("docker-registry") + - name: pause-container + image: #@ image_reference("pause-container") + - name: base-environment + image: #@ image_reference("base-environment") + - name: jdk8-environment + image: #@ image_reference("jdk8-environment") + - name: jdk11-environment + image: #@ image_reference("jdk11-environment") + - name: jdk17-environment + image: #@ image_reference("jdk17-environment") + - name: jdk21-environment + image: #@ image_reference("jdk21-environment") + - name: conda-environment + image: #@ image_reference("conda-environment") + - name: secrets-manager + image: #@ image_reference("secrets-manager") + - name: tunnel-manager + image: #@ image_reference("tunnel-manager") + - name: image-cache + image: #@ image_reference("image-cache") + - name: assets-server + image: #@ image_reference("assets-server") + - name: lookup-service + image: #@ image_reference("lookup-service") + - name: debian-base-image + image: "debian:sid-20230502-slim" + - name: docker-in-docker + image: "docker:20.10.18-dind" + - name: rancher-k3s-v1.27 + image: "rancher/k3s:v1.27.14-k3s1" + - name: rancher-k3s-v1.28 + image: "rancher/k3s:v1.28.10-k3s1" + - name: rancher-k3s-v1.29 + image: "rancher/k3s:v1.29.5-k3s1" + - name: rancher-k3s-v1.30 + image: "rancher/k3s:v1.30.1-k3s1" + - name: loftsh-vcluster + image: "loftsh/vcluster:0.18.1" diff --git a/carvel-packages/installer/config/rbac.yaml b/carvel-packages/installer/config/rbac.yaml new file mode 100644 index 000000000..1a9f30535 --- /dev/null +++ b/carvel-packages/installer/config/rbac.yaml @@ -0,0 +1,24 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: educates-installer +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: educates-installer + namespace: educates-installer +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: educates-installer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: educates-installer + namespace: educates-installer \ No newline at end of file diff --git a/carvel-packages/training-platform/config/schema.yaml b/carvel-packages/installer/config/schema.yaml similarity index 61% rename from carvel-packages/training-platform/config/schema.yaml rename to carvel-packages/installer/config/schema.yaml index c55e3cbc9..eeaf4555d 100644 --- a/carvel-packages/training-platform/config/schema.yaml +++ b/carvel-packages/installer/config/schema.yaml @@ -1,12 +1,6 @@ #@data/values-schema --- - version: latest - imageRegistry: host: "localhost" - namespace: "" - -releasedAt: "" - -openapi: "" + namespace: "" \ No newline at end of file diff --git a/carvel-packages/installer/kind-templates/kind-kyverno.yaml b/carvel-packages/installer/kind-templates/kind-kyverno.yaml new file mode 100644 index 000000000..7acc881cc --- /dev/null +++ b/carvel-packages/installer/kind-templates/kind-kyverno.yaml @@ -0,0 +1,26 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: test-educates +nodes: +- role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + listenAddress: 192.168.50.50 + hostPort: 80 + protocol: TCP + - containerPort: 443 + listenAddress: 192.168.50.50 + hostPort: 443 + protocol: TCP +containerdConfigPatches: +- |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"] + endpoint = ["http://educates-registry:5000"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.default.svc.cluster.local"] + endpoint = ["http://educates-registry:5000"] diff --git a/carvel-packages/installer/kind-templates/kind-pod-security-policies.yaml b/carvel-packages/installer/kind-templates/kind-pod-security-policies.yaml new file mode 100644 index 000000000..b4d9def11 --- /dev/null +++ b/carvel-packages/installer/kind-templates/kind-pod-security-policies.yaml @@ -0,0 +1,32 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + - | + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + enable-admission-plugins: PodSecurityPolicy + extraPortMappings: + - containerPort: 80 + listenAddress: 192.168.50.50 + hostPort: 80 + protocol: TCP + - containerPort: 443 + listenAddress: 192.168.50.50 + hostPort: 443 + protocol: TCP +containerdConfigPatches: + - |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"] + endpoint = ["http://educates-registry:5000"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.default.svc.cluster.local"] + endpoint = ["http://educates-registry:5000"] diff --git a/carvel-packages/installer/kind-templates/kind-pod-security-standards.yaml b/carvel-packages/installer/kind-templates/kind-pod-security-standards.yaml new file mode 100644 index 000000000..69cc1b1f1 --- /dev/null +++ b/carvel-packages/installer/kind-templates/kind-pod-security-standards.yaml @@ -0,0 +1,27 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + listenAddress: 192.168.50.50 + hostPort: 80 + protocol: TCP + - containerPort: 443 + listenAddress: 192.168.50.50 + hostPort: 443 + protocol: TCP +containerdConfigPatches: + - |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"] + endpoint = ["http://educates-registry:5000"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.default.svc.cluster.local"] + endpoint = ["http://educates-registry:5000"] +featureGates: + PodSecurity: true diff --git a/carvel-packages/installer/scenarios/README.md b/carvel-packages/installer/scenarios/README.md new file mode 100644 index 000000000..55a03156d --- /dev/null +++ b/carvel-packages/installer/scenarios/README.md @@ -0,0 +1,39 @@ +# Scenarios + +There's some scenarios we want to cover and test. We can print the list of scenarios and the +test file by executing: + +``` +./test-scenarios.sh --help +``` + +We can run the scenarios by executing: + +``` +./test-scenarios.sh +``` + +If you want to see the processed config generated by each scenario: + +``` +./test-scenarios.sh --debug +``` + +If you want to see things `TODO` for an scenario: + +``` +./test-scenarios.sh --todo +``` + +**NOTE** Take into account that values are mock, so if you really want to test these scenarios into a cluster +make a copy and alter the values to your needs. + +**NOTE** You will need to have a cluster to test on the cluster + +## Scenarios implemented + +To get a list of implemented scenarios and their description run: + +``` +./test-scenarios.sh -h +``` diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/description.md b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/description.md new file mode 100644 index 000000000..8221c016d --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/description.md @@ -0,0 +1,4 @@ +kind using provided domain and educates config with custom configuration +In this sccenario we provide some educates global config and not the one in the clusterPackages +Because for custom, only the configuration in clusterPackages is used, all `educates` global configuration +should be discarded. diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml new file mode 100644 index 000000000..ed9abc106 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/expected.yaml @@ -0,0 +1,25 @@ +clusterPackages: + contour: + enabled: true + settings: {} + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: {} diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/values.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/values.yaml new file mode 100644 index 000000000..f5ff87163 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-1/values.yaml @@ -0,0 +1,39 @@ +clusterPackages: + contour: + enabled: true + settings: {} + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: + infraProvider: gcp + gcp: + args: + project: "PROJECT_ID" + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: {} +clusterInfrastructure: + provider: custom +clusterIngress: + domain: "educates.example.com" +clusterSecurity: + policyEngine: none +workshopSecurity: + rulesEngine: none +sessionCookies: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/description.md b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/description.md new file mode 100644 index 000000000..f2719ccb0 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/description.md @@ -0,0 +1,3 @@ +kind using provided domain with custom configuration +In this scenario we don't use any global `educates` config, but the one in the clusterPackages. +This configuration should be respected diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml new file mode 100644 index 000000000..ca3f57095 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/expected.yaml @@ -0,0 +1,29 @@ +clusterPackages: + contour: + enabled: true + settings: {} + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + sessionCookies: + domain: educates.example.com diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/values.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/values.yaml new file mode 100644 index 000000000..e147ebf42 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-2/values.yaml @@ -0,0 +1,35 @@ +clusterPackages: + contour: + enabled: true + settings: {} + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: + infraProvider: gcp + gcp: + args: + project: "PROJECT_ID" + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" + sessionCookies: + domain: "educates.example.com" +clusterInfrastructure: + provider: "custom" diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/description.md b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/description.md new file mode 100644 index 000000000..01a89ff15 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/description.md @@ -0,0 +1,4 @@ +kind using provided domain with custom configuration +In this scenario we don't use any global educates config, but the one in the clusterPackages. +We do not provide config for `kapp-controller` and `certs` so these packages will be `disabled` in +generated config. All the other `clusterPackages` configuration will be respected. diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml new file mode 100644 index 000000000..1676ca2be --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/expected.yaml @@ -0,0 +1,32 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: custom + contour: + replicas: 10 + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + sessionCookies: + domain: educates.example.com diff --git a/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/values.yaml b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/values.yaml new file mode 100644 index 000000000..146885467 --- /dev/null +++ b/carvel-packages/installer/scenarios/custom/test-custom-scenario-3/values.yaml @@ -0,0 +1,32 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: custom + contour: + replicas: 10 + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + cert-manager.custom: "true" + external-dns: + enabled: false + settings: + infraProvider: gcp + gcp: + args: + project: "PROJECT_ID" + kyverno: + enabled: true + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" + sessionCookies: + domain: "educates.example.com" +clusterInfrastructure: + provider: "custom" diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/description.md new file mode 100644 index 000000000..8d52e0166 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/description.md @@ -0,0 +1 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/expected.yaml new file mode 100644 index 000000000..4eaba41b2 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/expected.yaml @@ -0,0 +1,58 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/values.yaml new file mode 100644 index 000000000..708276843 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01/values.yaml @@ -0,0 +1,13 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/description.md new file mode 100644 index 000000000..c805144ca --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +No specific Route53 hostedZone provided, hence, using clusterIngress.domain diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/expected.yaml new file mode 100644 index 000000000..ceec0f770 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/expected.yaml @@ -0,0 +1,58 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: educates.example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/values.yaml new file mode 100644 index 000000000..c30405eb1 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-01b/values.yaml @@ -0,0 +1,11 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/description.md new file mode 100644 index 000000000..e9edfadcc --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We provide some custom configuration in clusterPackages that should be discarded. diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/expected.yaml new file mode 100644 index 000000000..4eaba41b2 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/expected.yaml @@ -0,0 +1,58 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/values.yaml new file mode 100644 index 000000000..2d60041cd --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-02/values.yaml @@ -0,0 +1,53 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + contour: + enabled: true + settings: + infraProvider: "aws" + configFileContents: + defaultHttpVersions: + - "HTTP/2" + service: + type: "ClsuterIP" + externaldns: + domains: + - "ERROR.educates.example.com" + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: "ERROR_role/cert-manager" + external-dns: + enabled: true + settings: + infraProvider: "aws" + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: "ERROR_role/external-dns" + aws: + args: + domain_filter: "ERROR.educates.example.com" + txt_owner_id: "ERROR.educates" + certs: + enabled: true + settings: + certProvider: "acme" + domains: + - "ERROR.educates.example.com" + acme: + aws: + certs: + region: "eu-west-1" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/description.md new file mode 100644 index 000000000..e27d33b47 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We disable some packages. diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml new file mode 100644 index 000000000..0adf75f6f --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/values.yaml new file mode 100644 index 000000000..1483d2216 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-03/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + contour: + enabled: false + cert-manager: + enabled: false + external-dns: + enabled: false + certs: + enabled: false +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md new file mode 100644 index 000000000..cfd1fb92d --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml new file mode 100644 index 000000000..49994de5d --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/expected.yaml @@ -0,0 +1,60 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml new file mode 100644 index 000000000..1d60959b5 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04/values.yaml @@ -0,0 +1,15 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md new file mode 100644 index 000000000..16e4b3112 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/description.md @@ -0,0 +1,2 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml new file mode 100644 index 000000000..d73aeee75 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml new file mode 100644 index 000000000..e5a4dc714 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04b/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md new file mode 100644 index 000000000..f3c38bb69 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/description.md @@ -0,0 +1,3 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix globally +We enable LookupService in clusterPackages with other ingressPrefix that should be discarded diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml new file mode 100644 index 000000000..d73aeee75 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml new file mode 100644 index 000000000..8d11157d9 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04c/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_NOT +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md new file mode 100644 index 000000000..cf6502638 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/description.md @@ -0,0 +1,3 @@ +eks integrating with Route53 to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with no ingressPrefix +We enable LookupService in clusterPackages with other ingressPrefix that should be REMAIN diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml new file mode 100644 index 000000000..5cdfaadca --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: aws + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/cert-manager + external-dns: + enabled: true + settings: + infraProvider: aws + serviceaccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/external-dns + aws: + args: + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-aws + domains: + - educates.example.com + acme: + aws: + certs: + region: eu-west-1 + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY diff --git a/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml new file mode 100644 index 000000000..84b789f21 --- /dev/null +++ b/carvel-packages/installer/scenarios/eks/test-eks-scenario-04d/values.yaml @@ -0,0 +1,21 @@ +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/generic/README.md b/carvel-packages/installer/scenarios/generic/README.md new file mode 100644 index 000000000..24ab8b5c7 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/README.md @@ -0,0 +1,3 @@ +# vcluster +For vcluster we only allow the opinionated configuration for the packages, so, not settings are allowed +and no enablong/disabling of individual packages permitted. \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/description.md b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/description.md new file mode 100644 index 000000000..8cb60ef36 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/description.md @@ -0,0 +1 @@ +generic configuration with some overrides to see if they are set diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/expected.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/expected.yaml new file mode 100644 index 000000000..31cd99df0 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/expected.yaml @@ -0,0 +1,35 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: true + prePullImages: + - b \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/values.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/values.yaml new file mode 100644 index 000000000..4da98fa52 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-1/values.yaml @@ -0,0 +1,20 @@ +clusterInfrastructure: + provider: "generic" +clusterPackages: + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/description.md b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/description.md new file mode 100644 index 000000000..2a2f668a7 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/description.md @@ -0,0 +1,3 @@ +generic configuration with some overrides to see if they are set. +Since we are adding configuration for contour and this package +can not be enabled or customised, nothing will show for contour diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/expected.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/expected.yaml new file mode 100644 index 000000000..31cd99df0 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/expected.yaml @@ -0,0 +1,35 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: true + prePullImages: + - b \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/values.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/values.yaml new file mode 100644 index 000000000..d3c9ee17c --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-2/values.yaml @@ -0,0 +1,24 @@ +clusterInfrastructure: + provider: "generic" +clusterPackages: + contour: + enabled: true + settings: + infraProvider: "custom" + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/description.md b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/description.md new file mode 100644 index 000000000..2c29f1790 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/description.md @@ -0,0 +1,2 @@ +generic configuration with some overrides to see if they are set +We disable kyverno, which is the only configurable package, so we disable. \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/expected.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/expected.yaml new file mode 100644 index 000000000..03e183dbf --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/expected.yaml @@ -0,0 +1,35 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: true + prePullImages: + - b \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/values.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/values.yaml new file mode 100644 index 000000000..a540f0251 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-3/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "generic" +clusterPackages: + kyverno: + enabled: false + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/description.md b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/description.md new file mode 100644 index 000000000..c56bb1927 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/description.md @@ -0,0 +1,2 @@ +generic configuration with some overrides to see if they are set +We disable educates, which can not be disabled, so will remain enabled. \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/expected.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/expected.yaml new file mode 100644 index 000000000..31cd99df0 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/expected.yaml @@ -0,0 +1,35 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: true + prePullImages: + - b \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/values.yaml b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/values.yaml new file mode 100644 index 000000000..d276cf186 --- /dev/null +++ b/carvel-packages/installer/scenarios/generic/test-generic-scenario-4/values.yaml @@ -0,0 +1,21 @@ +clusterInfrastructure: + provider: "generic" +clusterPackages: + educates: + enabled: false + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/description.md new file mode 100644 index 000000000..2c10c179f --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/description.md @@ -0,0 +1 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/expected.yaml new file mode 100644 index 000000000..919141e16 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/expected.yaml @@ -0,0 +1,58 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/values.yaml new file mode 100644 index 000000000..299f02846 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-01/values.yaml @@ -0,0 +1,13 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/description.md new file mode 100644 index 000000000..42e5deb54 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/description.md @@ -0,0 +1,3 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We provide some custom configuration in clusterPackages that should be discarded. + diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/expected.yaml new file mode 100644 index 000000000..919141e16 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/expected.yaml @@ -0,0 +1,58 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/values.yaml new file mode 100644 index 000000000..08406e678 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-02/values.yaml @@ -0,0 +1,54 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + contour: + enabled: true + settings: + infraProvider: "aws" + configFileContents: + defaultHttpVersions: + - "HTTP/2" + service: + type: "ClsuterIP" + externaldns: + domains: + - "ERROR.educates.example.com" + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: "ERROR.cert-manager@my-project.iam.gserviceaccount.com" + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: ERROR.external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - ERROR.educates.example.com + acme: + gcp: + project: my-project +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/description.md new file mode 100644 index 000000000..be072ea15 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/description.md @@ -0,0 +1,2 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We disable some packages. diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml new file mode 100644 index 000000000..0adf75f6f --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/values.yaml new file mode 100644 index 000000000..f00b96b8a --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-03/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + contour: + enabled: false + cert-manager: + enabled: false + external-dns: + enabled: false + certs: + enabled: false +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md new file mode 100644 index 000000000..d5998c859 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/description.md @@ -0,0 +1,2 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml new file mode 100644 index 000000000..acea7bbda --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/expected.yaml @@ -0,0 +1,60 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml new file mode 100644 index 000000000..cd0cc6995 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04/values.yaml @@ -0,0 +1,15 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md new file mode 100644 index 000000000..6b66805ec --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/description.md @@ -0,0 +1,2 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml new file mode 100644 index 000000000..e60e782f2 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml new file mode 100644 index 000000000..ab77250d6 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04b/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md new file mode 100644 index 000000000..2c06a3a79 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/description.md @@ -0,0 +1,3 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with alternate ingressPrefix globally +We enable LookupService in clusterPackages with other ingressPrefix that should be discarded diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml new file mode 100644 index 000000000..e60e782f2 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml new file mode 100644 index 000000000..5f9aeec75 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04c/values.yaml @@ -0,0 +1,22 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_NOT +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: ALTERNATE diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md new file mode 100644 index 000000000..f94ea1c40 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/description.md @@ -0,0 +1,3 @@ +gke integrating with Cloud DNS to create DNS records and Let's Encrypt to generate wildcard +We enable LookupService with no ingressPrefix +We enable LookupService in clusterPackages with other ingressPrefix that should be REMAIN diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml new file mode 100644 index 000000000..1cd4cc6c8 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/expected.yaml @@ -0,0 +1,61 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: gcp + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: LoadBalancer + externaldns: + domains: + - educates.example.com + cert-manager: + enabled: true + settings: + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: cert-manager@my-project.iam.gserviceaccount.com + external-dns: + enabled: true + settings: + infraProvider: gcp + serviceaccount: + annotations: + iam.gke.io/gcp-service-account: external-dns@my-project.iam.gserviceaccount.com + gcp: + args: + project: my-project + domain_filter: example.com + txt_owner_id: educates + certs: + enabled: true + settings: + certProvider: acme-gcp + domains: + - educates.example.com + acme: + gcp: + project: my-project + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + tlsCertificateRef: + namespace: projectcontour + name: educateswildcard + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY diff --git a/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml new file mode 100644 index 000000000..e04ce4ee8 --- /dev/null +++ b/carvel-packages/installer/scenarios/gke/test-gke-scenario-04d/values.yaml @@ -0,0 +1,21 @@ +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterPackages: + educates: + settings: + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_STAY +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/description.md new file mode 100644 index 000000000..d7c7716a0 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/description.md @@ -0,0 +1 @@ +kind using provided domain with http and kyverno clusterSecurityEngine diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/expected.yaml new file mode 100644 index 000000000..7bd6528fc --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/values.yaml new file mode 100644 index 000000000..8cd8f39c7 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01/values.yaml @@ -0,0 +1,7 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/description.md new file mode 100644 index 000000000..626d6107d --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/description.md @@ -0,0 +1,3 @@ +kind using provided domain with http and kyverno clusterSecurityEngine, +but with package kyverno disabled, +but even when clusterSecurity is kyverno, kyvernos should not be re-enabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/expected.yaml new file mode 100644 index 000000000..c96ce8233 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/values.yaml new file mode 100644 index 000000000..57c17728d --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01b/values.yaml @@ -0,0 +1,9 @@ +clusterPackages: + kyverno: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/description.md new file mode 100644 index 000000000..e0b4679e2 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/description.md @@ -0,0 +1,4 @@ +kind using provided domain with http and kyverno clusterSecurityEngine, +but with package kyverno disabled, but even with clusterSecurity is kyverno, +kyverno should not be re-enabled + diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml new file mode 100644 index 000000000..27d97363b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: false + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/values.yaml new file mode 100644 index 000000000..29a630be5 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01c/values.yaml @@ -0,0 +1,11 @@ +clusterPackages: + kyverno: + enabled: false + educates: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md new file mode 100644 index 000000000..464762cf8 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml new file mode 100644 index 000000000..4f7203c54 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/expected.yaml @@ -0,0 +1,39 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml new file mode 100644 index 000000000..558cfb221 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01d/values.yaml @@ -0,0 +1,9 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md new file mode 100644 index 000000000..0b89d1d83 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled with clusterPackages providing alternate ingressPrefix that should remain \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml new file mode 100644 index 000000000..56d82dc15 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml new file mode 100644 index 000000000..5f2f3b7c0 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01e/values.yaml @@ -0,0 +1,14 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true +clusterPackages: + educates: + settings: + lookupService: + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md new file mode 100644 index 000000000..2fcadff10 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/description.md @@ -0,0 +1,3 @@ +kind using provided domain with http and kyverno clusterSecurityEngine +With lookupService enabled with ingressPrefix +and clusterPackages providing alternate ingressPrefix that should not prevail \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml new file mode 100644 index 000000000..56d82dc15 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml new file mode 100644 index 000000000..84b3257d0 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-01f/values.yaml @@ -0,0 +1,15 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" +lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN +clusterPackages: + educates: + settings: + lookupService: + ingressPrefix: THIS_SHOULD_NOT diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/description.md new file mode 100644 index 000000000..6cf17296a --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and pod-security-policies clusterSecurityEngine, +but since kyverno is by default enabled and here not disabled explicitly, it'll be enabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/expected.yaml new file mode 100644 index 000000000..ab1958a6a --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: pod-security-policies + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/values.yaml new file mode 100644 index 000000000..33ee98ce5 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02/values.yaml @@ -0,0 +1,6 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "pod-security-policies" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/description.md new file mode 100644 index 000000000..ec1a71d10 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/description.md @@ -0,0 +1,2 @@ +kind using provided domain with http and pod-security-policies clusterSecurityEngine, +with kyverno disabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/expected.yaml new file mode 100644 index 000000000..3409b5b82 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: pod-security-policies + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/values.yaml new file mode 100644 index 000000000..f480cd276 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-02b/values.yaml @@ -0,0 +1,9 @@ +clusterPackages: + kyverno: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "pod-security-policies" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/description.md new file mode 100644 index 000000000..33650776f --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/description.md @@ -0,0 +1 @@ +kind with tlsCertificateRef for educates diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/expected.yaml new file mode 100644 index 000000000..f9249e157 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificateRef: + namespace: educates-secrets + name: educates-example-com-tls + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/values.yaml new file mode 100644 index 000000000..3442e5a30 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03/values.yaml @@ -0,0 +1,9 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-tls" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/description.md new file mode 100644 index 000000000..3bfa468b5 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/description.md @@ -0,0 +1 @@ +kind with tlsCertificateRef for educates when they are in local secrets cache diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/expected.yaml new file mode 100644 index 000000000..eb742bdde --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificateRef: + namespace: educates-secrets + name: educates-example-com-fromcache-tls + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/values.yaml new file mode 100644 index 000000000..80cd90535 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-03b/values.yaml @@ -0,0 +1,9 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-fromcache-tls" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/description.md new file mode 100644 index 000000000..8a2eb47d7 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/description.md @@ -0,0 +1 @@ +kind with tlsCertificateRef and caCertificateRef for educates diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/expected.yaml new file mode 100644 index 000000000..32b836bff --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/expected.yaml @@ -0,0 +1,43 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificateRef: + namespace: educates-secrets + name: educates-example-com-tls + caCertificateRef: + namespace: educates-secrets + name: educates-example-com-ca + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/values.yaml new file mode 100644 index 000000000..12a091d57 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04/values.yaml @@ -0,0 +1,12 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-tls" + caCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-ca" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/description.md new file mode 100644 index 000000000..d31ef88a1 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/description.md @@ -0,0 +1 @@ +kind with tlsCertificateRef and caCertificateRef for educates when they are in local secrets cache diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/expected.yaml new file mode 100644 index 000000000..dca194adf --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/expected.yaml @@ -0,0 +1,43 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificateRef: + namespace: educates-secrets + name: educates-example-com-fromcache-tls + caCertificateRef: + namespace: educates-secrets + name: educates-example-com-fromcache-ca + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/values.yaml new file mode 100644 index 000000000..e41122a03 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-04b/values.yaml @@ -0,0 +1,12 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-fromcache-tls" + caCertificateRef: + namespace: "educates-secrets" + name: "educates-example-com-fromcache-ca" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/description.md new file mode 100644 index 000000000..6d9726c7f --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/description.md @@ -0,0 +1 @@ +kind with tlsCertificate for educates diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/expected.yaml new file mode 100644 index 000000000..05024d28e --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/expected.yaml @@ -0,0 +1,46 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/values.yaml new file mode 100644 index 000000000..b6bd2ed51 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-05/values.yaml @@ -0,0 +1,15 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/description.md new file mode 100644 index 000000000..7f946ee89 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/description.md @@ -0,0 +1 @@ +kind with tlsCertificate and caCertificate for educates diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/expected.yaml new file mode 100644 index 000000000..a70d8e221 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/expected.yaml @@ -0,0 +1,51 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- + caCertificate: + ca.crt: | + -----BEGIN CERTIFICATE----- + "CA_CRT" + -----END CERTIFICATE----- + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/values.yaml new file mode 100644 index 000000000..6b5ef49ad --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-06/values.yaml @@ -0,0 +1,20 @@ +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- + caCertificate: + ca.crt: | + -----BEGIN CERTIFICATE----- + "CA_CRT" + -----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/description.md new file mode 100644 index 000000000..3bc5fe6ad --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/description.md @@ -0,0 +1 @@ +kind with infrastructure.caCertificateRef and cert-manager enabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/expected.yaml new file mode 100644 index 000000000..96a197e5f --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/expected.yaml @@ -0,0 +1,52 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: true + settings: + clusterResourceNamespace: educates-secrets + external-dns: + enabled: false + settings: {} + certs: + enabled: true + settings: + domains: + - educates.example.com + certProvider: local + local: + caCertificateRef: + name: educates-example-com-ca + namespace: educates-secrets + wildcardCertificateNamespace: educates-secrets + certmanagerClusterResourceNamespace: educates-secrets + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + caCertificateRef: + namespace: educates-secrets + name: educates-example-com-ca + caNodeInjector: + enabled: true + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/values.yaml new file mode 100644 index 000000000..2d4ddd2d1 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07/values.yaml @@ -0,0 +1,9 @@ +clusterInfrastructure: + provider: "kind" + caCertificateRef: + name: "educates-example-com-ca" + namespace: "educates-secrets" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/description.md new file mode 100644 index 000000000..0c11936ba --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/description.md @@ -0,0 +1,2 @@ +kind with infrastructure.caCertificateRef and cert-manager enabled when they are in local secrets cache +TODO: When pushing the local secrets in cache we need to configure educates to use the secret generated by cert-manager's wildcard cluster issuer diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/expected.yaml new file mode 100644 index 000000000..7eee50292 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/expected.yaml @@ -0,0 +1,52 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: true + settings: + clusterResourceNamespace: educates-secrets + external-dns: + enabled: false + settings: {} + certs: + enabled: true + settings: + domains: + - educates.example.com + certProvider: local + local: + caCertificateRef: + name: educates-example-com-fromcache-ca + namespace: educates-secrets + wildcardCertificateNamespace: educates-secrets + certmanagerClusterResourceNamespace: educates-secrets + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + caCertificateRef: + namespace: educates-secrets + name: educates-example-com-fromcache-ca + caNodeInjector: + enabled: true + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/values.yaml new file mode 100644 index 000000000..87b59949b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-07b/values.yaml @@ -0,0 +1,9 @@ +clusterInfrastructure: + provider: "kind" + caCertificateRef: + name: "educates-example-com-fromcache-ca" + namespace: "educates-secrets" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/description.md new file mode 100644 index 000000000..edaf25663 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/description.md @@ -0,0 +1 @@ +kind with without educates diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml new file mode 100644 index 000000000..a418e5ed6 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: false + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/values.yaml new file mode 100644 index 000000000..3f5336d1b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08/values.yaml @@ -0,0 +1,9 @@ +clusterPackages: + educates: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/description.md new file mode 100644 index 000000000..636f542c8 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/description.md @@ -0,0 +1 @@ +kind without educates and without using a clusterSecurity policy engine diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml new file mode 100644 index 000000000..a418e5ed6 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: false + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/values.yaml new file mode 100644 index 000000000..2ce8b0365 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08b/values.yaml @@ -0,0 +1,9 @@ +clusterPackages: + educates: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "none" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/description.md new file mode 100644 index 000000000..dd4fe389b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/description.md @@ -0,0 +1,2 @@ +kind without educates package without using a clusterSecurity policy engine +but with tls certificate provided for the domain diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml new file mode 100644 index 000000000..a418e5ed6 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: false + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/values.yaml new file mode 100644 index 000000000..9a8e46857 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08c/values.yaml @@ -0,0 +1,18 @@ +clusterPackages: + educates: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "none" +clusterIngress: + domain: "educates.example.com" + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/description.md new file mode 100644 index 000000000..e8a11f29d --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/description.md @@ -0,0 +1,2 @@ +kind without educates package and kyverno package and using kyverno clusterSecurity policy engine. +This should not re-enable kyverno since educates is disabled. diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml new file mode 100644 index 000000000..27d97363b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/expected.yaml @@ -0,0 +1,31 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: false + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: false + settings: {} diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/values.yaml new file mode 100644 index 000000000..46528dcac --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-08d/values.yaml @@ -0,0 +1,20 @@ +clusterPackages: + kyverno: + enabled: false + educates: + enabled: false +clusterInfrastructure: + provider: "kind" +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" + tlsCertificate: + tls.crt: | + -----BEGIN CERTIFICATE----- + "TLS_CRT" + -----END CERTIFICATE----- + tls.key: | + -----BEGIN CERTIFICATE----- + "TLS_KEY" + -----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/description.md new file mode 100644 index 000000000..29b7e3ba0 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/description.md @@ -0,0 +1 @@ +kind with imageRegistry with no namespace defined diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/expected.yaml new file mode 100644 index 000000000..778d0eea7 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + imageRegistry: + namespace: "" + host: kind-registry + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/values.yaml new file mode 100644 index 000000000..37d5915d9 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09/values.yaml @@ -0,0 +1,6 @@ +clusterInfrastructure: + provider: "kind" +imageRegistry: + host: "kind-registry" +clusterIngress: + domain: "educates.example.com" \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/description.md new file mode 100644 index 000000000..f23985daf --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/description.md @@ -0,0 +1 @@ +kind with imageRegistry with namespace defined diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/expected.yaml new file mode 100644 index 000000000..552ce2acd --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + imageRegistry: + namespace: educates + host: kind-registry + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/values.yaml new file mode 100644 index 000000000..250f9274b --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-09b/values.yaml @@ -0,0 +1,7 @@ +clusterInfrastructure: + provider: "kind" +imageRegistry: + host: "kind-registry" + namespace: "educates" +clusterIngress: + domain: "educates.example.com" \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/description.md new file mode 100644 index 000000000..ec652ab9d --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/description.md @@ -0,0 +1 @@ +kind with imagePuller disabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/expected.yaml new file mode 100644 index 000000000..473d53409 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/expected.yaml @@ -0,0 +1,41 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + imagePuller: + enabled: false + prePullImages: + - base-environment \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/values.yaml new file mode 100644 index 000000000..c598d42b6 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10/values.yaml @@ -0,0 +1,6 @@ +clusterInfrastructure: + provider: "kind" +clusterIngress: + domain: "educates.example.com" +imagePuller: + enabled: false \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/description.md new file mode 100644 index 000000000..441f2e57e --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/description.md @@ -0,0 +1 @@ +kind with imagePuller enabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/expected.yaml new file mode 100644 index 000000000..30423cc99 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/expected.yaml @@ -0,0 +1,41 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + imagePuller: + enabled: true + prePullImages: + - base-environment \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/values.yaml new file mode 100644 index 000000000..3da5fcb8a --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10b/values.yaml @@ -0,0 +1,6 @@ +clusterInfrastructure: + provider: "kind" +imagePuller: + enabled: true +clusterIngress: + domain: "educates.example.com" \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/description.md new file mode 100644 index 000000000..69d3971b5 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/description.md @@ -0,0 +1 @@ +kind with imagePuller enabled and prePullImage provided diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/expected.yaml new file mode 100644 index 000000000..f72366cd7 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/expected.yaml @@ -0,0 +1,41 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + imagePuller: + enabled: true + prePullImages: + - jdk17-environment \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/values.yaml new file mode 100644 index 000000000..7de29a216 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-10c/values.yaml @@ -0,0 +1,8 @@ +clusterInfrastructure: + provider: "kind" +imagePuller: + enabled: true + prePullImages: + - "jdk17-environment" +clusterIngress: + domain: "educates.example.com" \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/description.md new file mode 100644 index 000000000..30f7f0ccd --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/description.md @@ -0,0 +1 @@ +kind with kapp-controller enabled diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/expected.yaml new file mode 100644 index 000000000..88dd76633 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: true + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/values.yaml new file mode 100644 index 000000000..536f2bd23 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-11/values.yaml @@ -0,0 +1,7 @@ +clusterInfrastructure: + provider: "kind" +clusterIngress: + domain: "educates.example.com" +clusterPackages: + kapp-controller: + enabled: true diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/description.md new file mode 100644 index 000000000..1b58b3af6 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/description.md @@ -0,0 +1 @@ +kind with educates mixture of top-level values and clusterPackage values diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/expected.yaml new file mode 100644 index 000000000..ad3e4cd06 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/expected.yaml @@ -0,0 +1,38 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + class: clusterIngressClass + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/values.yaml new file mode 100644 index 000000000..22e8b2abf --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12/values.yaml @@ -0,0 +1,9 @@ +clusterInfrastructure: + provider: "kind" +clusterPackages: + educates: + settings: + clusterIngress: + domain: "educates.example.com" +clusterIngress: + class: "clusterIngressClass" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/description.md new file mode 100644 index 000000000..b1fa96a47 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/description.md @@ -0,0 +1,2 @@ +kind with educates mixture of top-level values and clusterPackage values. +Top level values are the ones to remain in case both are provided diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/expected.yaml new file mode 100644 index 000000000..fd0176993 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: THIS.domain.should.remain + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/values.yaml new file mode 100644 index 000000000..d556a468e --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12b/values.yaml @@ -0,0 +1,10 @@ +clusterInfrastructure: + provider: "kind" +clusterPackages: + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" +clusterIngress: + domain: "THIS.domain.should.remain" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md new file mode 100644 index 000000000..b1fa96a47 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/description.md @@ -0,0 +1,2 @@ +kind with educates mixture of top-level values and clusterPackage values. +Top level values are the ones to remain in case both are provided diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml new file mode 100644 index 000000000..de47fb62f --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/expected.yaml @@ -0,0 +1,40 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: THIS.domain.should.remain + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno + lookupService: + enabled: true + ingressPrefix: THIS_SHOULD_REMAIN diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml new file mode 100644 index 000000000..479eadea2 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-12c/values.yaml @@ -0,0 +1,16 @@ +clusterInfrastructure: + provider: "kind" +clusterPackages: + educates: + enabled: true + settings: + clusterIngress: + domain: "educates.example.com" + lookupService: + enabled: false + ingressPrefix: "THIS_SHOULD_GO_AWAY" +clusterIngress: + domain: "THIS.domain.should.remain" +lookupService: + enabled: true + ingressPrefix: "THIS_SHOULD_REMAIN" diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md new file mode 100644 index 000000000..60a69097e --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/description.md @@ -0,0 +1,2 @@ +kind using customized contour config and kapp-controller enabled +(Contour config would be defaulted and provided will not be used) diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/expected.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/expected.yaml new file mode 100644 index 000000000..896da4938 --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/expected.yaml @@ -0,0 +1,37 @@ +clusterPackages: + contour: + enabled: true + settings: + infraProvider: kind + contour: + replicas: 1 + configFileContents: + defaultHttpVersions: + - HTTP/1.1 + service: + type: ClusterIP + useHostPorts: true + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: true + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: kyverno diff --git a/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/values.yaml b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/values.yaml new file mode 100644 index 000000000..c4c50749f --- /dev/null +++ b/carvel-packages/installer/scenarios/kind/test-kind-scenario-13/values.yaml @@ -0,0 +1,16 @@ +--- +clusterInfrastructure: + provider: "kind" +clusterPackages: + contour: + enabled: true + settings: + configFileContents: + defaultHttpVersions: + - "HTTP/1.1" + kapp-controller: + enabled: true +clusterSecurity: + policyEngine: "kyverno" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/minica/educates.example.com/cert.pem b/carvel-packages/installer/scenarios/minica/educates.example.com/cert.pem new file mode 100644 index 000000000..e9a895a98 --- /dev/null +++ b/carvel-packages/installer/scenarios/minica/educates.example.com/cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQzCCAiugAwIBAgIILFi6lR0CxhowDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMWEzZGQyMB4XDTI0MDMwNTE2MDk0NVoXDTI2MDQw +NDE1MDk0NVowHzEdMBsGA1UEAxMUZWR1Y2F0ZXMuZXhhbXBsZS5jb20wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0aQ2Cb8DNpRXPqObdK9NeNCJMpTsN +efjIwCBu6pBj4hWpcqea75Y1z0dIz8fM0Zec/SNUyFbcUOEAEkf56MrKKy+gmQWI +TUp+EzfyL2vwmpPedBiYSbM6LFo+0kDBvek65PbTD7ZFKcM/6D2+EJG1ibjjQIPV +lmLd7311r8JRCzBVOrq41I5KaPOZ4D8VvMOPyXJlMk2YC5T8YHuBhTgwPa9mbJel +rHQVJHfZ725VTDtDVxepSwNDV49CciahbMvErdnxEOxmGELz+P79P4EgustyZoY2 +CyLWddYduxMQNIVxOrfqnfYA5dSxdpYGUhlDcLN2O30rzQbDOxEKhsL1AgMBAAGj +gYEwfzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF +BwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNVdfc/wUzJvMF5o5jwbLuWq6 +vkgwHwYDVR0RBBgwFoIUZWR1Y2F0ZXMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEL +BQADggEBAG98NSBc3MEyr6V3g5QhXOl7vDoNiGOP5i6EGxnoUQ5qLjcdY9ANdSmr +y465GPgHwV6G99SJWbXXaW2+qDOiGYsAJax+uSEoj6UOr586AgDQdNnckbuSxbGi +jLD8ET4CCUn9EWlbaPoqgyQNOPKldfxHgHIPPSuxob7SVkd8iky1VKeYXgt94hyv +bktxDu3vE9AHKMk+oUxqCsRKm282lJiLuEKafXOw+TCISgGbpkEGvzc0xjJDN5Ff +/Qm3v9GUcXZmW3JJqKexdgfeTslriSX/u2wFKdmpx1fMTLtL7PN34aVdIBE9GXuc ++F9t3cbiIdO8937Ztw09QkeUO4X1BoU= +-----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/minica/educates.example.com/key.pem b/carvel-packages/installer/scenarios/minica/educates.example.com/key.pem new file mode 100644 index 000000000..b0b74e4a7 --- /dev/null +++ b/carvel-packages/installer/scenarios/minica/educates.example.com/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAtGkNgm/AzaUVz6jm3SvTXjQiTKU7DXn4yMAgbuqQY+IVqXKn +mu+WNc9HSM/HzNGXnP0jVMhW3FDhABJH+ejKyisvoJkFiE1KfhM38i9r8JqT3nQY +mEmzOixaPtJAwb3pOuT20w+2RSnDP+g9vhCRtYm440CD1ZZi3e99da/CUQswVTq6 +uNSOSmjzmeA/FbzDj8lyZTJNmAuU/GB7gYU4MD2vZmyXpax0FSR32e9uVUw7Q1cX +qUsDQ1ePQnImoWzLxK3Z8RDsZhhC8/j+/T+BILrLcmaGNgsi1nXWHbsTEDSFcTq3 +6p32AOXUsXaWBlIZQ3Czdjt9K80GwzsRCobC9QIDAQABAoIBADpe0vQk3CitBQWP +DEL67wRHseFChHyzvf6VyuiYE+d9Oqz8X6YNZng6fEHemDJ4jalJbaj8uL3HnUS8 +pXUCELqghmRbniKffz6TUUKWfUH3gWgz/9El50snFnvE4xbMLy3S7tkS+FIgVP/U +UEWybrJhwOQl94GfipVr6xesqh42CUFfjvVT7fgH0fc0zyTIzJ0f4Ice5EWXdfr4 +Tpx7DHPLNN6Iu8OqzstpVPPTfLSjGbWyNWTShU2J1yDXpjr0ICrh2rg5NC2Nqprr +w3L7/+vW8GyhLLssczGNomlvnamYC0oUpHiyfj1eLw6gnir/VX/EA759FeUav1h+ +nqugmgECgYEAy0Q51sp0RrFI3CH8junVYb4ri5j3mAlG8PhfiQ5Y1dDaJ/xBIQpR +PnMO8+9klk8+CMyxdep0WZtXeyiR2179E57v7RUEgt1w/mMrfwMkoVlPgjBdTiHw +wfiYujeExGnbIHw80U6xz+Y5NVAGxpGEe+dTund46ImwMFFUKq6vP9UCgYEA4zba +7aCXAP6de+F44mzPXRx29Scfk3UIA6d+08ZD5D7wrkT3CbOqL8+rv+4cV/MghSGO +XZ218V7MfmjNIgjLcBtJR2Ioj+StWc6ve0Jn6hE5ZYOx46iWzN+XnbiyJAp84P7Y +J0HFuHs02fMwMv4IekMH7EOROIMykGGagsB+JqECgYADRnYoH9r/yJuD8IhBRUNK +7+WDulNC/+NEvrvLWY/U4iihvE7QWXo1p2T2SUU1ptE5ExNI8x4s03P1aBHxlvY8 ++rKi/1OzSB4p+y8YPNS6RNYjIuRd/e4DMh5D4eEhyRLe0yGnvbzfvLXvRfrV+EJK +PM/8kTBBjvZn0OeqSGZKgQKBgCao+8E49NiPeh5M8/OazgGqyTbXTFEbtZxhkHva +HU0lxG/yfhIhhtCRxkhm7F2umZbtabrWDdIe7i6ICHdFBdByZBqIQhyRrUk9mLAh +UWsLOTfjm43/7oC3fqWwemcVfcAOvJqZX1oPZKO89DOI88pRw3RY3sm90QmuActD +k3NhAoGBAJoKkNRqeJl+Ro6SF3zVvNRM6Uoxaa0M/ldNBCbbnoP7j6zjQPvsk7tZ +wjcTW/vsjFNEOqCz97cIi3r35Fs9VDnK1B81t8JbeJa8YWFh/uDOnxJ1ksZvbFBu +rmWfy2CyMb8TDteetPXsM0dPQYGZTI23ej6JVeav3DrUGSj2ZBhd +-----END RSA PRIVATE KEY----- diff --git a/carvel-packages/installer/scenarios/minica/minica-key.pem b/carvel-packages/installer/scenarios/minica/minica-key.pem new file mode 100644 index 000000000..50cd25e58 --- /dev/null +++ b/carvel-packages/installer/scenarios/minica/minica-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA14Bevn0LLETBt6k6TMysdb9ioFy6qh43gE6KIQQ2iFaMUlhf +tJ4tMbTBTPUPLRTha/9Mtrx3G67qVjjBGVP9CdZHq+lc8qW/EOUDy6zq75/22RjQ +4aiGNZQSrcK6s1B6RfASqFqfvNjMWcKvkip7hs2zlmndkObWF820VjSTrNQXVGPW +IYDXBgdv/7T30RAdJRliIg88SJWFZgO57obCaFI1LSWsSfvA70pPm8w1fqKxAlVb +jbV0htkdN1l+uE13cnCkxrHoI40+1eJR0ef5335JiyZub4LqdelzvTH1RYpmc1K8 +r9BCbrua+tpzQYyW6ye/9MwB81KaXYGfa3QOLwIDAQABAoIBAEouxm6MXOxAPu8a +Mhd93WArIahSQ2+MN07TunjjGmKUaHlwMoHacXRK5L+5HCBIr9Cdcar19YpyC/ji +UJaHcvOP79wd2QEuTTdjnoreW4Fhb3gMMtt7R7fp4QQvpFVVvsGUgtexWouHldDQ +U9/c/+jHpqqAhuT6kXhgN1P1hWBYgBHVhy57akl5jeSbBwq/Oy0Kj8CyvtWTEP7R +JB+GKSv2A+bY/KoI/rZxnDfozdZa8STH4vpsG8VRbMkkC3SsrybjeP3YxzcbyS3F +6UV9UHxIZmeHjK27cdpSgzz91BZmkGcFZ8gdBMCXKgGaW+LRT93vyfvi2puKLBY5 +8IxDIAECgYEA2s3LsmVrHIb+qyO/amFe41PSqx1CzGZHAuuCm5pWiku8FipbR5lh +qZeHJ8mycsK7FXJpj0aJgLFjW1Kh0bv/UIB8SbC42yClfYXRgH/ly+Fp0FgJFZ6H +rIirNcVN5Ws91/KPVop3HMViqWmtLyQhSSqnZ+U0mOd+zaPdZCrxaa8CgYEA/CLa +q38NGH0s0Nzyg+38sA43IxnUy0vFieawp2Y6SbLtdARHRFZ72lhNp+TtCBl9fcoZ +do4sEFKWO5m5QfKXGI+zW8wOx9aSDi+TpIbzCtergEgEbOja7csPbVx2kZ7O1vkS +ZC1ITC3uysuW9nBsi082LXF9AqoX+tZCeaNrQ4ECgYEAp7rA3vWuAYVerlTOBL+1 +3LBCO5hHv6bb4tolGiFbG9Lo0VkQ9jcXTclx+0c7+4tZnRxC3WlmOPhCwRv8Hmpu +UwjbviWx35EMK8gsjMP+pacb1XHXLPKE8PcnwCWLDEaEdwljZiTpIG4TrujqsMuS +lKMVB6kGA/zaEMwACCx/OdMCgYEAw3paQn+8LXJO3peORg6qy+wZf1M1kW/rdOCv +sPkm06CvTDVM84SBfWTcwABSbOcmTfH0D+Bl9TmyU/74jFKCJn6ytcbc5r5KekkU +lIgzwgI3artrAuz9X0MBcO4w1vFit3Rfd99LoBQ0gHGbVvEOlmsRO+Yy32/0K3sW +CqxSKwECgYABoRFmqDOpQqPDbl3R5H7uah14Q+U0z/g+WUT+yV3cF11qF11479F5 +QpbnL+x3SHWcUACnf3wdnCMChz6+vKWqQyrVE4SolaZoRMHg1X8bLjC6Qcvo1mrh +v7ZpWsSSsocWcRrUvVpNEwfS42SjUCcL34Co0dpJ36FWc2Lg9HOjfg== +-----END RSA PRIVATE KEY----- diff --git a/carvel-packages/installer/scenarios/minica/minica.pem b/carvel-packages/installer/scenarios/minica/minica.pem new file mode 100644 index 000000000..7ba7e9f09 --- /dev/null +++ b/carvel-packages/installer/scenarios/minica/minica.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIIGj3S9tN2wR4wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMWEzZGQyMCAXDTI0MDIwODE2NTUzMVoYDzIxMjQw +MjA4MTY1NTMxWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAxYTNkZDIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXgF6+fQssRMG3qTpMzKx1v2Kg +XLqqHjeAToohBDaIVoxSWF+0ni0xtMFM9Q8tFOFr/0y2vHcbrupWOMEZU/0J1ker +6Vzypb8Q5QPLrOrvn/bZGNDhqIY1lBKtwrqzUHpF8BKoWp+82MxZwq+SKnuGzbOW +ad2Q5tYXzbRWNJOs1BdUY9YhgNcGB2//tPfREB0lGWIiDzxIlYVmA7nuhsJoUjUt +JaxJ+8DvSk+bzDV+orECVVuNtXSG2R03WX64TXdycKTGsegjjT7V4lHR5/nffkmL +Jm5vgup16XO9MfVFimZzUryv0EJuu5r62nNBjJbrJ7/0zAHzUppdgZ9rdA4vAgMB +AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQ1V19z/BTMm8wX +mjmPBsu5arq+SDAfBgNVHSMEGDAWgBQ1V19z/BTMm8wXmjmPBsu5arq+SDANBgkq +hkiG9w0BAQsFAAOCAQEAO2bTVLdZhj/nJoRdsNY3z56muFxibRVTh7V6S2QEh/fM +mKGOJ8lwOjmOUEONVCq80052OCS8Km1ODtt1iDkmPUkd/XJkiRnMyI4ANMTePZ1S +D0VuMfxRWgFCJM6GWSjUjz3cB9xysQlm3FqtPa+D//lXe37TN4HcjlbhPZz2c7LB +Qjzm15500rUlXRjbuRURHpbqtXGKjVXMwnbTKlxQwV4twisDDwjBDyk8qbcIcKrG +ZwQL0zCeBT6tv+MprWuj+AH+ouTdsGet2ISzOO3KtDqZirHALxo9BotblXNLVtfz +Nqprnk73cNDWMzP9eim9qLawdzfrZL0TDomkqK90Ng== +-----END CERTIFICATE----- diff --git a/carvel-packages/installer/scenarios/test-scenarios.sh b/carvel-packages/installer/scenarios/test-scenarios.sh new file mode 100755 index 000000000..4f503019b --- /dev/null +++ b/carvel-packages/installer/scenarios/test-scenarios.sh @@ -0,0 +1,149 @@ +#!/bin/bash + +# Handle source locations that might be a symlink (ref: http://bit.ly/2kcvSCS) +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + +# Make a test to verify yq command is accesible and can be run or else fail with a message to install it +yq --version >/dev/null 2>&1 +result=$? +if [[ "$result" -ne 0 ]] +then + echo "yq command not found. Please install it from https://github.com/mikefarah/yq/releases" + exit 1 +fi + +# +# Colors for echo +# +RED='\033[0;31m' +NC='\033[0m' # No Color + +function help { + local pattern=$1 + pushd ${DIR} >/dev/null 2>&1 + for test_dir in `ls -d {kind,eks,custom,gke,vcluster,generic}/test*/` + do + if [[ $test_dir != *${pattern}* ]]; then + continue + fi + pushd ${DIR}/${test_dir} >/dev/null 2>&1 + echo "---------------------------------------------" + echo "Scenario ${test_dir}:" + echo "===" + cat description.md + echo "===" + echo "" + popd >/dev/null 2>&1 + done + popd >/dev/null 2>&1 +} + +function todo { + local pattern=$1 + echo $pattern + pushd ${DIR} >/dev/null 2>&1 + for test_dir in `ls -d {kind,eks,custom,gke,vcluster,generic}/test*/` + do + if [[ $test_dir != *${pattern}* ]]; then + continue + fi + pushd ${DIR}/${test_dir} >/dev/null 2>&1 + cat description.md | grep TODO >/dev/null 2>&1 + result=$? + if [[ "$result" -eq 0 ]] + then + echo "---------------------------------------------" + echo "Scenario ${test_dir}:" + echo "===" + cat description.md + echo "===" + echo "" + fi + popd >/dev/null 2>&1 + done + popd >/dev/null 2>&1 +} + +function test { + local pattern=$1 + + pushd ${DIR} >/dev/null 2>&1 + for test_dir in `ls -d {kind,eks,custom,gke,vcluster,generic}/test*/` + do + if [[ $test_dir != *${pattern}* ]]; then + continue + fi + pushd ${DIR}/${test_dir} >/dev/null 2>&1 + echo "---------------------------------------------" + echo "Scenario ${test_dir}:" + echo "===" + cat description.md + echo "===" + RESULT_VALUES=$(ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=true | yq -P 'sort_keys(..)') + diff <(echo "$RESULT_VALUES") <(cat expected.yaml | yq -P 'sort_keys(..)') + result=$? + [[ "$result" -eq 0 ]] && echo "Result Diff Values/Expected: OK" || echo -e "Result Diff Values/Expected: ${RED}NO OK${NC}" + ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=false >/dev/null 2>&1 + result=$? + [[ "$result" -eq 0 ]] && echo "Result ytt processing: OK" || echo -e "Result ytt processing: ${RED}NO OK${NC}" + popd >/dev/null 2>&1 + done + popd >/dev/null 2>&1 +} + +function debug { + local pattern=$1 + pushd ${DIR} >/dev/null 2>&1 + for test_dir in `ls -d {kind,eks,custom,gke,vcluster,generic}/test*/` + do + if [[ $test_dir != *${pattern}* ]]; then + continue + fi + pushd ${DIR}/${test_dir} >/dev/null 2>&1 + echo "---------------------------------------------" + echo "Scenario ${test_dir}:" + echo "===" + cat description.md + echo "===" + RESULT_VALUES=$(ytt --data-values-file values.yaml -f ${DIR}/../bundle/config/ytt --data-value-yaml debug=true) + result=$? + echo "$RESULT_VALUES" | yq -P 'sort_keys(..)' + [[ "$result" -eq 0 ]] || + echo -e "${RED}Error processing ytt template${NC}" + popd >/dev/null 2>&1 + done + popd >/dev/null 2>&1 +} + +for arg in "$@" +do + case $arg in + -h|--help) + shift + help ${1:-"*"} + exit 0 + ;; + -d|--debug) + shift + debug ${1:-"*"} + exit 0 + ;; + -t|--todo) + shift + todo ${1:-"*"} + exit 0 + ;; + *) + test ${1:-"*"} + exit 0 + ;; + esac +done +# this last one is because it's not doing the for loop when there's no arguments +test "*" diff --git a/carvel-packages/installer/scenarios/vcluster/README.md b/carvel-packages/installer/scenarios/vcluster/README.md new file mode 100644 index 000000000..24ab8b5c7 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/README.md @@ -0,0 +1,3 @@ +# vcluster +For vcluster we only allow the opinionated configuration for the packages, so, not settings are allowed +and no enablong/disabling of individual packages permitted. \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/description.md b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/description.md new file mode 100644 index 000000000..215972e82 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/description.md @@ -0,0 +1 @@ +vcluster configuration with some overrides to see if they are set diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/expected.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/expected.yaml new file mode 100644 index 000000000..6875e09f1 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/expected.yaml @@ -0,0 +1,34 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: false + prePullImages: [] \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/values.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/values.yaml new file mode 100644 index 000000000..cff389625 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-1/values.yaml @@ -0,0 +1,20 @@ +clusterInfrastructure: + provider: "vcluster" +clusterPackages: + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/description.md b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/description.md new file mode 100644 index 000000000..37f00eee9 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/description.md @@ -0,0 +1,2 @@ +vcluster configuration with some overrides to see if they are set. +Since we are adding configuration for contour, it'll be enabled diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/expected.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/expected.yaml new file mode 100644 index 000000000..6875e09f1 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/expected.yaml @@ -0,0 +1,34 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: false + prePullImages: [] \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/values.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/values.yaml new file mode 100644 index 000000000..7b92f4aaa --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-2/values.yaml @@ -0,0 +1,24 @@ +clusterInfrastructure: + provider: "vcluster" +clusterPackages: + contour: + enabled: true + settings: + infraProvider: "custom" + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/description.md b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/description.md new file mode 100644 index 000000000..b68ea1955 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/description.md @@ -0,0 +1,2 @@ +vcluster configuration with some overrides to see if they are set +We're adding configuration to contour, but not enablign the package, so it should be empty \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/expected.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/expected.yaml new file mode 100644 index 000000000..6875e09f1 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/expected.yaml @@ -0,0 +1,34 @@ +clusterPackages: + contour: + enabled: false + settings: {} + cert-manager: + enabled: false + settings: {} + external-dns: + enabled: false + settings: {} + certs: + enabled: false + settings: {} + kyverno: + enabled: true + settings: {} + kapp-controller: + enabled: false + settings: {} + educates: + enabled: true + settings: + clusterIngress: + domain: educates.example.com + clusterSecurity: + policyEngine: kyverno + workshopSecurity: + rulesEngine: none + workshopAnalytics: + google: + trackingId: analytics + imagePuller: + enabled: false + prePullImages: [] \ No newline at end of file diff --git a/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/values.yaml b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/values.yaml new file mode 100644 index 000000000..7d5f8d835 --- /dev/null +++ b/carvel-packages/installer/scenarios/vcluster/test-vcluster-scenario-3/values.yaml @@ -0,0 +1,24 @@ +clusterInfrastructure: + provider: "vcluster" +clusterPackages: + contour: + enabled: false + settings: + infraProvider: "custom" + educates: + settings: + imagePuller: + enabled: true + prePullImages: + - "a" +imagePuller: + enabled: true + prePullImages: + - "b" +workshopSecurity: + rulesEngine: "none" +workshopAnalytics: + google: + trackingId: "analytics" +clusterIngress: + domain: "educates.example.com" diff --git a/carvel-packages/repository.yaml b/carvel-packages/repository.yaml deleted file mode 100644 index 719e8b2f4..000000000 --- a/carvel-packages/repository.yaml +++ /dev/null @@ -1,11 +0,0 @@ -#@ load("@ytt:data", "data") - ---- -apiVersion: packaging.carvel.dev/v1alpha1 -kind: PackageRepository -metadata: - name: packages.educates.dev -spec: - fetch: - imgpkgBundle: - image: #@ "{}/educates-packages:{}".format(data.values.packageRepository, data.values.repositoryVersion) diff --git a/carvel-packages/training-platform/bundle/.imgpkg/bundle.yml b/carvel-packages/training-platform/bundle/.imgpkg/bundle.yml deleted file mode 100644 index 1f2a0de7d..000000000 --- a/carvel-packages/training-platform/bundle/.imgpkg/bundle.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: imgpkg.carvel.dev/v1alpha1 -kind: Bundle -metadata: - name: educates-training-platform -authors: -- name: Graham Dumpleton - email: gdumpleton@vmware.com -websites: -- url: github.com/vmware-tanzu-labs/educates-training-platform diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/overlays.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/overlays.yaml deleted file mode 100644 index 7c91657fc..000000000 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/overlays.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:overlay", "overlay") - -#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" ---- -metadata: - #@overlay/replace via=lambda left, right: "{}-baseline-{}".format(data.values.operator.namePrefix, left) - name: null - -#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" ---- -spec: - rules: - #@overlay/match by=overlay.all,expects="0+" - - match: - any: - #@overlay/match by=overlay.all,expects="0+" - - resources: - #@overlay/match missing_ok=True - namespaceSelector: - #@overlay/match missing_ok=True - matchExpressions: - - key: #@ "training.{}/policy.engine".format(data.values.operator.apiGroup) - operator: In - values: - - kyverno - - key: #@ "training.{}/policy.name".format(data.values.operator.apiGroup) - operator: In - values: - - baseline - - restricted - -#@overlay/match by=overlay.subset({"kind":"ClusterPolicy"}),expects="1+" ---- -spec: - validationFailureAction: enforce diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml deleted file mode 100644 index a15d33f4d..000000000 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml +++ /dev/null @@ -1,4 +0,0 @@ -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - ---- #@ template.replace(library.get("upstream").eval()) diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/upstream.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/upstream.yaml deleted file mode 100644 index a15d33f4d..000000000 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/upstream.yaml +++ /dev/null @@ -1,4 +0,0 @@ -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - ---- #@ template.replace(library.get("upstream").eval()) diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml deleted file mode 100644 index a15d33f4d..000000000 --- a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml +++ /dev/null @@ -1,4 +0,0 @@ -#@ load("@ytt:library", "library") -#@ load("@ytt:template", "template") - ---- #@ template.replace(library.get("upstream").eval()) diff --git a/carvel-packages/training-platform/bundle/kbld-bundle.yaml b/carvel-packages/training-platform/bundle/kbld-bundle.yaml deleted file mode 100644 index e325d36bc..000000000 --- a/carvel-packages/training-platform/bundle/kbld-bundle.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: kbld.k14s.io/v1alpha1 -kind: Config -minimumRequiredVersion: 0.15.0 -searchRules: -- keyMatcher: - name: SESSION_MANAGER_IMAGE -- keyMatcher: - name: SECRETS_MANAGER_IMAGE -- keyMatcher: - name: TUNNEL_MANAGER_IMAGE -- keyMatcher: - name: TRAINING_PORTAL_IMAGE -- keyMatcher: - name: DOCKER_IN_DOCKER_IMAGE -- keyMatcher: - name: DOCKER_REGISTRY_IMAGE -- keyMatcher: - name: PAUSE_CONTAINER_IMAGE -- keyMatcher: - name: BASE_ENVIRONMENT_IMAGE -- keyMatcher: - name: JDK8_ENVIRONMENT_IMAGE -- keyMatcher: - name: JDK11_ENVIRONMENT_IMAGE -- keyMatcher: - name: CONDA_ENVIRONMENT_IMAGE diff --git a/carvel-packages/training-platform/config/images.yaml b/carvel-packages/training-platform/config/images.yaml deleted file mode 100644 index 9b5120e25..000000000 --- a/carvel-packages/training-platform/config/images.yaml +++ /dev/null @@ -1,60 +0,0 @@ -#@ load("@ytt:data", "data") - -#@ def image_reference(name): -#@ registry = data.values.imageRegistry.host -#@ if not registry: -#@ registry = "localhost:5001" -#@ end -#@ if data.values.imageRegistry.namespace: -#@ registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) -#@ end -#@ return "{}/educates-{}:{}".format(registry, name, data.values.version) -#@ end - ---- -imageVersions: -- name: session-manager - image: #@ image_reference("session-manager") -- name: training-portal - image: #@ image_reference("training-portal") -- name: docker-registry - image: #@ image_reference("docker-registry") -- name: pause-container - image: #@ image_reference("pause-container") -- name: base-environment - image: #@ image_reference("base-environment") -- name: jdk8-environment - image: #@ image_reference("jdk8-environment") -- name: jdk11-environment - image: #@ image_reference("jdk11-environment") -- name: jdk17-environment - image: #@ image_reference("jdk17-environment") -- name: jdk21-environment - image: #@ image_reference("jdk21-environment") -- name: conda-environment - image: #@ image_reference("conda-environment") -- name: secrets-manager - image: #@ image_reference("secrets-manager") -- name: tunnel-manager - image: #@ image_reference("tunnel-manager") -- name: image-cache - image: #@ image_reference("image-cache") -- name: assets-server - image: #@ image_reference("assets-server") -- name: debian-base-image - image: "debian:sid-20230502-slim" -- name: docker-in-docker - image: "docker:20.10.18-dind" -- name: rancher-k3s-v1.27 - image: "rancher/k3s:v1.27.14-k3s1" -- name: rancher-k3s-v1.28 - image: "rancher/k3s:v1.28.10-k3s1" -- name: rancher-k3s-v1.29 - image: "rancher/k3s:v1.29.5-k3s1" -- name: rancher-k3s-v1.30 - image: "rancher/k3s:v1.30.1-k3s1" -- name: loftsh-vcluster - image: "loftsh/vcluster:0.18.1" -- name: contour-bundle - #! contour.community.tanzu.vmware.com.1.22.0 - image: "projects.registry.vmware.com/tce/contour@sha256:b68ad8ec3012db7d2a2e84f8544685012e2dca09d28d54dce8735fb60f0d05bf" diff --git a/carvel-packages/training-platform/config/metadata.yaml b/carvel-packages/training-platform/config/metadata.yaml deleted file mode 100644 index e017bfad3..000000000 --- a/carvel-packages/training-platform/config/metadata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: PackageMetadata -metadata: - name: training-platform.educates.dev - namespace: educates-package -spec: - displayName: "Educates Training Platform" - shortDescription: "A platform for hosting interactive workshop environments in Kubernetes." - providerName: VMware - maintainers: - - name: "Graham Dumpleton" diff --git a/carvel-packages/training-platform/config/package.yaml b/carvel-packages/training-platform/config/package.yaml deleted file mode 100644 index fd23dda0a..000000000 --- a/carvel-packages/training-platform/config/package.yaml +++ /dev/null @@ -1,45 +0,0 @@ -#@ load("@ytt:data", "data") -#@ load("@ytt:yaml", "yaml") - -#@ def bundle_reference(): -#@ registry = data.values.imageRegistry.host -#@ if not registry or registry == "localhost:5001": -#@ registry = "registry.default.svc.cluster.local" -#@ end -#@ if data.values.imageRegistry.namespace: -#@ registry = "{}/{}".format(registry, data.values.imageRegistry.namespace) -#@ end -#@ return "{}/educates-training-platform:{}".format(registry, data.values.version) -#@ end - ---- -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: #@ "training-platform.educates.dev.{}".format(data.values.version) -spec: - refName: training-platform.educates.dev - version: #@ data.values.version - releasedAt: #@ data.values.releasedAt - valuesSchema: - openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"] - template: - spec: - fetch: - - imgpkgBundle: - image: #@ bundle_reference() - template: - - ytt: - paths: - - "config" - - "kbld-bundle.yaml" - valuesFrom: - - path: "kbld-images.yaml" - - kbld: - paths: - - ".imgpkg/images.yml" - - "-" - deploy: - - kapp: - rawOptions: - - "--app-changes-max-to-keep=5" diff --git a/client-programs/cmd/educates/main.go b/client-programs/cmd/educates/main.go index e5ee6decc..1a1f91b02 100644 --- a/client-programs/cmd/educates/main.go +++ b/client-programs/cmd/educates/main.go @@ -7,7 +7,11 @@ import ( "os" "strings" + "github.com/go-logr/logr" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cmd" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/logger" + "k8s.io/klog/v2" + logf "sigs.k8s.io/controller-runtime/pkg/log" ) // NOTE: The version of Educates which is installed by the CLI is overridden @@ -22,6 +26,9 @@ func main() { // All the functions for setting up commands are implemented as receiver // functions on ProjectInfo object so they can have access to compiled in // default values such as the release version of Educates. + log := logr.New(logger.NullLogSink{}) //zap.New(zap.UseDevMode(false)) + logf.SetLogger(log) // This one is used in the reconciler code + klog.SetLogger(log) // This one is used in the k8s client-go code p := cmd.NewProjectInfo(strings.TrimSpace(projectVersion), strings.TrimSpace(imageRepository)) diff --git a/client-programs/go.mod b/client-programs/go.mod index cf61dd83d..2b5d2c008 100644 --- a/client-programs/go.mod +++ b/client-programs/go.mod @@ -1,74 +1,70 @@ module github.com/vmware-tanzu-labs/educates-training-platform/client-programs -go 1.21 - -toolchain go1.21.4 +go 1.22.5 require ( - github.com/adrg/xdg v0.4.0 + carvel.dev/imgpkg v0.43.0 + carvel.dev/kapp v0.63.2 + carvel.dev/kbld v0.44.0 + carvel.dev/vendir v0.41.0 + carvel.dev/ytt v0.50.0 + github.com/adrg/xdg v0.5.0 github.com/compose-spec/compose-go v1.20.2 github.com/cppforlife/go-cli-ui v0.0.0-20220622150351-995494831c6c github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v24.0.9+incompatible - github.com/docker/go-connections v0.4.0 - github.com/gorilla/websocket v1.5.1 + github.com/docker/docker v27.1.1+incompatible + github.com/docker/go-connections v0.5.0 + github.com/go-logr/logr v1.4.2 + github.com/gorilla/websocket v1.5.3 github.com/joho/godotenv v1.5.1 github.com/pkg/errors v0.9.1 - github.com/spf13/cobra v1.8.0 - github.com/vmware-tanzu/carvel-imgpkg v0.38.3 - github.com/vmware-tanzu/carvel-kapp v0.59.2 - golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 + github.com/spf13/cobra v1.8.1 + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/client-go v0.29.0 - k8s.io/kubectl v0.29.0 - sigs.k8s.io/kind v0.20.0 + k8s.io/api v0.30.3 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 + k8s.io/kubectl v0.30.3 + sigs.k8s.io/kind v0.23.0 sigs.k8s.io/yaml v1.4.0 ) require ( - github.com/vmware-tanzu/carvel-vendir v0.36.1 - github.com/vmware-tanzu/carvel-ytt v0.46.3 -) - -require ( - cloud.google.com/go/compute v1.23.3 // indirect - cloud.google.com/go/compute/metadata v0.2.3 // indirect + cloud.google.com/go/compute/metadata v0.5.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect - github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect + github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/BurntSushi/toml v1.3.2 // indirect + github.com/BurntSushi/toml v1.4.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect - github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect github.com/VividCortex/ewma v1.2.0 // indirect github.com/alessio/shellescape v1.4.2 // indirect - github.com/aws/aws-sdk-go-v2 v1.24.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.26.1 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.16.12 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 // indirect - github.com/aws/smithy-go v1.19.0 // indirect - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect + github.com/aws/smithy-go v1.20.3 // indirect + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240730143543-a8d7d3c42ca1 // indirect github.com/bmatcuk/doublestar v1.3.4 // indirect - github.com/carvel-dev/semver/v4 v4.0.1-0.20230221220520-8090ce423695 // indirect - github.com/cheggaaa/pb/v3 v3.1.4 // indirect + github.com/carvel-dev/semver/v4 v4.0.1-0.20240402203627-beb83fbf25e4 // indirect + github.com/cheggaaa/pb/v3 v3.1.5 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect github.com/cppforlife/cobrautil v0.0.0-20221130162803-acdfead391ef // indirect @@ -76,84 +72,104 @@ require ( github.com/cppforlife/go-patch v0.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect - github.com/distribution/reference v0.5.0 // indirect - github.com/docker/cli v24.0.7+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.0 // indirect + github.com/distribution/reference v0.6.0 // indirect + github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/evanphx/json-patch/v5 v5.7.0 // indirect - github.com/fatih/color v1.16.0 // indirect - github.com/go-logr/logr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.20.1 // indirect - github.com/go-openapi/jsonreference v0.20.3 // indirect - github.com/go-openapi/swag v0.22.5 // indirect + github.com/emicklei/go-restful/v3 v3.12.1 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/fatih/color v1.17.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect - github.com/google/go-containerregistry v0.17.0 // indirect + github.com/google/go-containerregistry v0.20.1 // indirect github.com/google/go-github v17.0.0+incompatible // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/safetext v0.0.0-20230106111101-7156a760e523 // indirect - github.com/google/uuid v1.5.0 // indirect - github.com/hashicorp/go-version v1.6.0 // indirect - github.com/imdario/mergo v0.3.16 // indirect + github.com/google/safetext v0.0.0-20240722112252-5a72de7e7962 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/hashicorp/go-version v1.7.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/k14s/difflib v0.0.0-20201117154628-0c031775bf57 // indirect - github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect - github.com/k14s/ytt v0.39.0 // indirect - github.com/klauspost/compress v1.17.4 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.15 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect - github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/spdystream v0.5.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc5 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/openshift/crd-schema-checker v0.0.0-20240509132424-ee8e9956bcaf // indirect github.com/otiai10/copy v1.14.0 // indirect + github.com/pborman/uuid v1.2.1 // indirect github.com/pelletier/go-toml v1.9.5 // indirect - github.com/rivo/uniseg v0.4.4 // indirect + github.com/rivo/uniseg v0.4.7 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/vito/go-interact v1.0.1 // indirect - github.com/vmware-tanzu/carvel-kapp-controller v0.49.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.21.0 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/oauth2 v0.15.0 // indirect - golang.org/x/sync v0.5.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/term v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/net v0.27.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.16.1 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/cli-runtime v0.29.0 // indirect - k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8 // indirect - k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect + k8s.io/apiextensions-apiserver v0.30.3 // indirect + k8s.io/cli-runtime v0.30.3 + k8s.io/component-helpers v0.30.3 // indirect + k8s.io/klog/v2 v2.130.1 + k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/controller-runtime v0.18.4 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) + +require ( + github.com/containerd/log v0.1.0 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect + github.com/k14s/difflib v0.0.0-20240118055029-596a7a5585c3 // indirect + github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect + github.com/k14s/ytt v0.36.0 // indirect + github.com/vmware-tanzu/carvel-kapp-controller v0.51.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240722135656-d784300faade // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade // indirect + google.golang.org/grpc v1.64.1 // indirect + k8s.io/apiserver v0.30.3 // indirect + k8s.io/kubernetes v1.30.3 // indirect +) diff --git a/client-programs/go.sum b/client-programs/go.sum index 80e74e433..0e5797407 100644 --- a/client-programs/go.sum +++ b/client-programs/go.sum @@ -1,23 +1,43 @@ -cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= -cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= -cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +carvel.dev/imgpkg v0.43.0 h1:Co2oGu0iR76/PwuJt+ZJBsrX2BsMKguvv9x6bFh2E0g= +carvel.dev/imgpkg v0.43.0/go.mod h1:bPg9BMLe00c1Z9YW30zuNaqaGTEAl4ysDMl/lzftGck= +carvel.dev/kapp v0.63.2 h1:Fy0XXZRKn0e5XGL8y/Tqr1lCFPJejvp/bDlTDXQicCQ= +carvel.dev/kapp v0.63.2/go.mod h1:1N6sOl3tqkIterSvng8DMc5/4PDlbCHVfLD/M7vLnps= +carvel.dev/kbld v0.44.0 h1:HB7MmwO2qGmsRiHV9mRAiiNv7h4uQbvS51kM/N2exS4= +carvel.dev/kbld v0.44.0/go.mod h1:5dU+HpDT4zQTtH7dQGoGNX/zQ9zZ6dZm5RJIN1aCm1s= +carvel.dev/vendir v0.41.0 h1:Sbqewcb8WD09eApib9bX6LBsdc7QRwjTYF27w2Jg/LA= +carvel.dev/vendir v0.41.0/go.mod h1:LyXSnh0IKZ0Stj7ZLHt4bRDeFLZo6O4vf/Yv1emZzAQ= +carvel.dev/ytt v0.50.0 h1:otS2H45ya406sikV17k9FP9Xo0MOVwbHByuA+cPvc4E= +carvel.dev/ytt v0.50.0/go.mod h1:qnB4lXG2eR1F8f9sid21DYzU8hFGFAx/7HO2pvUysHk= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY= +cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= +github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= -github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= -github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= +github.com/Azure/go-autorest/autorest/adal v0.9.24 h1:BHZfgGsGwdkHDyZdtQRQk1WeUdW0m2WPAwuHZwUi5i4= +github.com/Azure/go-autorest/autorest/adal v0.9.24/go.mod h1:7T1+g0PYFmACYW5LlG2fcoPiPlFHjClyRGL7dRlP5c8= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo= github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= @@ -29,151 +49,210 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= -github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= -github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= -github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= -github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls= -github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E= -github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= +github.com/adrg/xdg v0.5.0 h1:dDaZvhMXatArP1NPHhnfaQUqWBLBsmx1h1HXQdMoFCY= +github.com/adrg/xdg v0.5.0/go.mod h1:dDdY4M4DF9Rjy4kHPeNL+ilVF+p2lK8IdM9/rTSGcI4= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0= github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/aws/aws-sdk-go-v2 v1.24.0 h1:890+mqQ+hTpNuw0gGP6/4akolQkSToDJgHfQE7AwGuk= -github.com/aws/aws-sdk-go-v2 v1.24.0/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.1 h1:z6DqMxclFGL3Zfo+4Q0rLnAZ6yVkzCRxhRMsiRQnD1o= -github.com/aws/aws-sdk-go-v2/config v1.26.1/go.mod h1:ZB+CuKHRbb5v5F0oJtGdhFTelmrxd4iWO1lf0rQwSAg= -github.com/aws/aws-sdk-go-v2/credentials v1.16.12 h1:v/WgB8NxprNvr5inKIiVVrXPuuTegM+K8nncFkr1usU= -github.com/aws/aws-sdk-go-v2/credentials v1.16.12/go.mod h1:X21k0FjEJe+/pauud82HYiQbEr9jRKY3kXEIQ4hXeTQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 h1:w98BT5w+ao1/r5sUuiH6JkVzjowOKeOJRHERyy1vh58= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10/go.mod h1:K2WGI7vUvkIv1HoNbfBA1bvIZ+9kL3YVmWxeKuLQsiw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 h1:v+HbZaCGmOwnTTVS86Fleq0vPzOd7tnJGbFhP0stNLs= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9/go.mod h1:Xjqy+Nyj7VDLBtCMkQYOw1QYfAEZCVLrfI0ezve8wd4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 h1:N94sVhRACtXyVcjXxrwK1SKFIJrA9pOJ5yu2eSHnmls= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9/go.mod h1:hqamLz7g1/4EJP+GH5NBhcUMLjW+gKLQabgyz6/7WAU= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= -github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5 h1:wLPDAUFT50NEXGXpywRU3AA74pg35RJjWol/68ruvQQ= -github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5/go.mod h1:AOHmGMoPtSY9Zm2zBuwUJQBisIvYAZeA1n7b6f4e880= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5 h1:PQp21GBlGNaQ+AVJAB8w2KTmLx0DkFS2fDET2Iy3+f0= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5/go.mod h1:WMntdAol8KgeYsa5sDZPsRTXs4jVZIMYu0eQVVIQxnc= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 h1:Nf2sHxjMJR8CSImIVCONRi4g0Su3J+TSTbS7G0pUeMU= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9/go.mod h1:idky4TER38YIjr2cADF1/ugFMKvZV7p//pVeV5LZbF0= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 h1:ldSFWz9tEHAwHNmjx2Cvy1MjP5/L9kNoR0skc6wyOOM= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.5/go.mod h1:CaFfXLYL376jgbP7VKC96uFcU8Rlavak0UlAwk1Dlhc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 h1:2k9KmFawS63euAkY4/ixVNsYYwrwnd5fIvgEKkfZFNM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5/go.mod h1:W+nd4wWDVkSUIox9bacmkBP5NMFQeTJ/xqNabpzSR38= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 h1:5UYvv8JUvllZsRnfrcMQ+hJ9jNICmcgKPAO1CER25Wg= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.5/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU= -github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= -github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6 h1:PlJRmqKlSlEUlwem1c3zdPaEMtJc/ktnV7naD5Qvsx4= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6/go.mod h1:08sPJIlDHu4HwQ1xScPgsBWezvM6U10ghGKBJu0mowA= +github.com/aws/aws-lambda-go v1.26.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU= +github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY= +github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= +github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90= +github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg= +github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI= +github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0 h1:vi/MwojjLGATEEUFn2GEdLiom7CFlB+qCIx4tDWqKfQ= +github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0/go.mod h1:RhaP7Wil0+uuuhiE4FzOOEFZwkmFAk1ZflXzK+O3ptU= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.3 h1:n2eqzO9VabUkd77b88Hos6OEtbGohB/TRrtXLTZi38Y= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.3/go.mod h1:Oy3yHBGkKtTmsn6iJGEZxytzZQrEvoFRWldB4XmzlO4= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.4/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ= +github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE= +github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240730143543-a8d7d3c42ca1 h1:KzgMB9L9rxpYY7TVVZLQCn2JUdJyRsIKVzxd6KzJSKY= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240730143543-a8d7d3c42ca1/go.mod h1:yRvLJAL/+VxKEc103WbeojloNH9Da5YKkY72PCg/r4s= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0= github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE= -github.com/carvel-dev/semver/v4 v4.0.1-0.20230221220520-8090ce423695 h1:naCDnpJeqQq5OHOYR6j01yIVVUk3WI5MuSHpDTy+M1A= -github.com/carvel-dev/semver/v4 v4.0.1-0.20230221220520-8090ce423695/go.mod h1:4cFTBLAr/U11ykiEEQMccu4uJ1i0GS+atJmeETHCFtI= -github.com/cheggaaa/pb/v3 v3.1.4 h1:DN8j4TVVdKu3WxVwcRKu0sG00IIU6FewoABZzXbRQeo= -github.com/cheggaaa/pb/v3 v3.1.4/go.mod h1:6wVjILNBaXMs8c21qRiaUM8BR82erfgau1DQ4iUXmSA= +github.com/carvel-dev/semver/v4 v4.0.1-0.20240402203627-beb83fbf25e4 h1:F4rZiMGZyC66j9VB7doVOE4tFHF1yNEihQlOuht4jmM= +github.com/carvel-dev/semver/v4 v4.0.1-0.20240402203627-beb83fbf25e4/go.mod h1:4cFTBLAr/U11ykiEEQMccu4uJ1i0GS+atJmeETHCFtI= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cheggaaa/pb/v3 v3.1.5 h1:QuuUzeM2WsAqG2gMqtzaWithDJv0i+i6UlnwSCI4QLk= +github.com/cheggaaa/pb/v3 v3.1.5/go.mod h1:CrxkeghYTXi1lQBEI7jSn+3svI3cuc19haAj6jM60XI= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/compose-spec/compose-go v1.20.2 h1:u/yfZHn4EaHGdidrZycWpxXgFffjYULlTbRfJ51ykjQ= github.com/compose-spec/compose-go v1.20.2/go.mod h1:+MdqXV4RA7wdFsahh/Kb8U0pAJqkg7mr4PM9tFKU8RM= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cppforlife/cobrautil v0.0.0-20200514214827-bb86e6965d72/go.mod h1:2w+qxVu2KSGW78Ex/XaIqfh/OvBgjEsmN53S4T8vEyA= github.com/cppforlife/cobrautil v0.0.0-20221130162803-acdfead391ef h1:de10GNLe45JTMghl2qf9WH17H/BjGShK41X3vKAsPJA= github.com/cppforlife/cobrautil v0.0.0-20221130162803-acdfead391ef/go.mod h1:2w+qxVu2KSGW78Ex/XaIqfh/OvBgjEsmN53S4T8vEyA= github.com/cppforlife/color v1.9.1-0.20200716202919-6706ac40b835 h1:mYQweUIBD+TBRjIeQnJmXr0GSVMpI6O0takyb/aaOgo= github.com/cppforlife/color v1.9.1-0.20200716202919-6706ac40b835/go.mod h1:dYeVsKp1vvK8XjdTPR1gF+uk+9doxKeO3hqQTOCr7T4= +github.com/cppforlife/go-cli-ui v0.0.0-20200505234325-512793797f05/go.mod h1:I0qrzCmuPWYI6kAOvkllYjaW2aovclWbJ96+v+YyHb0= github.com/cppforlife/go-cli-ui v0.0.0-20220622150351-995494831c6c h1:Au0iPWQ6E8TMil9HiGW/DI4CBttUpBOZWkzgqwq+PLg= github.com/cppforlife/go-cli-ui v0.0.0-20220622150351-995494831c6c/go.mod h1:ci7nWkU0g40w486NlpUpXXpTD3pkOBjH090Uc0wpER4= github.com/cppforlife/go-patch v0.2.0 h1:Y14MnCQjDlbw7WXT4k+u6DPAA9XnygN4BfrSpI/19RU= github.com/cppforlife/go-patch v0.2.0/go.mod h1:67a7aIi94FHDZdoeGSJRRFDp66l9MhaAG1yGxpUoFD8= -github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= -github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= -github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg= -github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.9+incompatible h1:HPGzNmwfLZWdxHqK9/II92pyi1EpYKsAqcl4G0Of9v0= -github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= -github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= -github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= -github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= +github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= -github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= -github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= +github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-openapi/jsonpointer v0.20.1 h1:MkK4VEIEZMj4wT9PmjaUmGflVBr9nvud4Q4UVFbDoBE= -github.com/go-openapi/jsonpointer v0.20.1/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.3 h1:EjGcjTW8pD1mRis6+w/gmoBdqv5+RbE9B85D1NgDOVQ= -github.com/go-openapi/jsonreference v0.20.3/go.mod h1:FviDZ46i9ivh810gqzFLl5NttD5q3tSlMLqLr6okedM= -github.com/go-openapi/swag v0.22.5 h1:fVS63IE3M0lsuWRzuom3RLwUMVI2peDH01s6M70ugys= -github.com/go-openapi/swag v0.22.5/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk= -github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= +github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -181,45 +260,89 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg= -github.com/google/safetext v0.0.0-20230106111101-7156a760e523 h1:i4NsbmB9pD5+Ggp5GZKyvYY6MkjvPE8CIMlkvXFF8gA= -github.com/google/safetext v0.0.0-20230106111101-7156a760e523/go.mod h1:mJNEy0r5YPHC7ChQffpOszlGB4L1iqjXWpIEKcFpr9s= -github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= -github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/safetext v0.0.0-20240722112252-5a72de7e7962 h1:+9C/TgFfcCmZBV7Fjb3kQCGlkpFrhtvFDgbdQHB9RaA= +github.com/google/safetext v0.0.0-20240722112252-5a72de7e7962/go.mod h1:H3K1Iu/utuCfa10JO+GsmKUYSWi7ug57Rk6GaDRHaaQ= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= -github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= -github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= -github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= +github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/hpcloud/tail v1.0.1-0.20180514194441-a1dbeea552b7/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0= github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/k14s/difflib v0.0.0-20201117154628-0c031775bf57 h1:CwBRArr+BWBopnUJhDjJw86rPL/jGbEjfHWKzTasSqE= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/k14s/difflib v0.0.0-20201117154628-0c031775bf57/go.mod h1:B0xN2MiNBGWOWi9CcfAo9LBI8IU4J1utlbOIJCsmKr4= +github.com/k14s/difflib v0.0.0-20240118055029-596a7a5585c3 h1:q2ikACDbDDbyUcN9JkDcNMGhIx1EBRkctAsPZMr35qM= +github.com/k14s/difflib v0.0.0-20240118055029-596a7a5585c3/go.mod h1:B0xN2MiNBGWOWi9CcfAo9LBI8IU4J1utlbOIJCsmKr4= github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 h1:4bcRTTSx+LKSxMWibIwzHnDNmaN1x52oEpvnjCy+8vk= github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368/go.mod h1:lKGj1op99m4GtQISxoD2t+K+WO/q2NzEPKvfXFQfbCA= -github.com/k14s/ytt v0.39.0 h1:SSdF030TVUBTP9lGge51v5GLgUjgu49B7l/YPzzrm8g= -github.com/k14s/ytt v0.39.0/go.mod h1:JLCkplRQQm6X+4FqgAYrwvDtVxzMCZxe88bH1kr4bgQ= +github.com/k14s/ytt v0.36.0 h1:ERr7q+r3ziYJv91fvTx2b76d1MIo3SI/EsAS01WU+Zo= +github.com/k14s/ytt v0.36.0/go.mod h1:awQ3bHBk1qT2Xn3GJVdmaLss2khZOIBBKFd2TNXZNMk= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= -github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -230,114 +353,171 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= -github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= -github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= -github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/openshift/crd-schema-checker v0.0.0-20240509132424-ee8e9956bcaf h1:WoO2cTGQ0Jgy46EY+dFBmY/q1vBQ6e6b8ONji633i+w= +github.com/openshift/crd-schema-checker v0.0.0-20240509132424-ee8e9956bcaf/go.mod h1:EmVJt97N+pfWFsli/ipXTBZqSG5F5KGQhm3c3IsGq1o= github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU= github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w= github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks= github.com/otiai10/mint v1.5.1/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= +github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= -github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis= -github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= +github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= +github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/vito/go-interact v0.0.0-20171111012221-fa338ed9e9ec/go.mod h1:wPlfmglZmRWMYv/qJy3P+fK/UnoQB5ISk4txfNd9tDo= github.com/vito/go-interact v1.0.1 h1:O8xi8c93bRUv2Tb/v6HdiuGc+WnWt+AQzF74MOOdlBs= github.com/vito/go-interact v1.0.1/go.mod h1:HrdHSJXD2yn1MhlTwSIMeFgQ5WftiIorszVGd3S/DAA= -github.com/vmware-tanzu/carvel-imgpkg v0.38.3 h1:vVnqCPFEZ2NQcoTywg/va91qRyCuu46wBYAETqoyez4= -github.com/vmware-tanzu/carvel-imgpkg v0.38.3/go.mod h1:v9BcO1qfXwwIQFw2zmksdUkx8eI1e+/a0Md3xG2BzDE= -github.com/vmware-tanzu/carvel-kapp v0.59.2 h1:3S2wG05ZNa6dhnsEepDg7e6N8zl3sLHEse5wvL1YCQM= -github.com/vmware-tanzu/carvel-kapp v0.59.2/go.mod h1:HAeURGw65eT00APPvnOQ8uDx5yvdrro2vtH5VYF1Zz0= -github.com/vmware-tanzu/carvel-kapp-controller v0.49.0 h1:qsVvuvhQjoSbrzVTsSsuiXzd2X5oK4H2Il4zAHDMD50= -github.com/vmware-tanzu/carvel-kapp-controller v0.49.0/go.mod h1:3rpvp98IrVlqZ/Vli9YmFsmtf1Z1A9OrdYyx9Wtl9KM= -github.com/vmware-tanzu/carvel-vendir v0.36.1 h1:/x93p4cmSSsv7ZqZPxV15VwzsV2VWcDthPPGtLwKEwQ= -github.com/vmware-tanzu/carvel-vendir v0.36.1/go.mod h1:rPGI/zItMK4QgLRpLix2aykoYufavHyKqqLTONXb2uE= -github.com/vmware-tanzu/carvel-ytt v0.46.3 h1:BO4SrVJesOw9OGBkVtaxI99JMvdN/PP2+gsr/WN/2q8= -github.com/vmware-tanzu/carvel-ytt v0.46.3/go.mod h1:Xarf0th61vX6VY07l3KBSi3uaMCQ2UyPPiCPiaVpHME= +github.com/vmware-tanzu/carvel-kapp-controller v0.51.0 h1:lCCHy9n/AzWPtq5gqbINJHgmF32RCUkh9DbVQgx6HAs= +github.com/vmware-tanzu/carvel-kapp-controller v0.51.0/go.mod h1:go1MQz1D2kVgjaE2ZHtuHGECFk8EDLeXMpjmDNDzuJM= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -345,27 +525,85 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03ymgYhPKmeXGk5Zu+cIZOlVzd9Zv7QIiyItjFBU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180723164146-c126467f60eb/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4= -golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180730214132-a0f8a16cb08c/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= @@ -374,21 +612,40 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= -golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= -golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -401,97 +658,171 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220411215600-e5f449aeb171/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto/googleapis/api v0.0.0-20240722135656-d784300faade h1:WxZOF2yayUHpHSbUE6NMzumUzBxYc3YGwo0YHnbzsJY= +google.golang.org/genproto/googleapis/api v0.0.0-20240722135656-d784300faade/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade h1:oCRSWfwGXQsqlVdErcyTt4A93Y8fo0/9D4b1gnI++qo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA= +google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1qJ27s+7ltE= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/tomb.v1 v1.0.0-20140529071818-c131134a1947/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4= -k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8 h1:yHNkNuLjht7iq95pO9QmbjOWCguvn8mDe3lT78nqPkw= -k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= -k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= -k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI= -k8s.io/utils v0.0.0-20231127182322-b307cd553661/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= +k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= +k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= +k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k= +k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= +k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= +k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +k8s.io/component-helpers v0.30.3 h1:KPc8l0eGx9Wg2OcKc58k9ozNcVcOInAi3NGiuS2xJ/c= +k8s.io/component-helpers v0.30.3/go.mod h1:VOQ7g3q+YbKWwKeACG2BwPv4ftaN8jXYJ5U3xpzuYAE= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e h1:OnKkExfhk4yxMqvBSPzUfhv3zQ96FWJ+UOZzLrAFyAo= +k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e/go.mod h1:0CVn9SVo8PeW5/JgsBZZIFmmTk5noOM8WXf2e1tCihE= +k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= +k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= +k8s.io/kubernetes v1.30.3 h1:A0qoXI1YQNzrQZiff33y5zWxYHFT/HeZRK98/sRDJI0= +k8s.io/kubernetes v1.30.3/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= +sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kind v0.20.0 h1:f0sc3v9mQbGnjBUaqSFST1dwIuiikKVGgoTwpoP33a8= -sigs.k8s.io/kind v0.20.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs= +sigs.k8s.io/kind v0.23.0 h1:8fyDGWbWTeCcCTwA04v4Nfr45KKxbSPH1WO9K+jVrBg= +sigs.k8s.io/kind v0.23.0/go.mod h1:ZQ1iZuJLh3T+O8fzhdi3VWcFTzsdXtNv2ppsHc8JQ7s= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/client-programs/pkg/cluster/cluster.go b/client-programs/pkg/cluster/cluster.go index 2ec891b82..bf4b80d89 100644 --- a/client-programs/pkg/cluster/cluster.go +++ b/client-programs/pkg/cluster/cluster.go @@ -1,30 +1,45 @@ package cluster import ( + "context" + "fmt" "os" "github.com/pkg/errors" + apiv1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/discovery" "k8s.io/client-go/dynamic" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" - clientcmdapi "k8s.io/client-go/tools/clientcmd/api" ) type ClusterConfig struct { Kubeconfig string + Context string } -func NewClusterConfig(kubeconfig string) *ClusterConfig { - return &ClusterConfig{kubeconfig} +func NewClusterConfig(kubeconfig string, context string) *ClusterConfig { + return &ClusterConfig{kubeconfig, context} } -func GetConfig(masterURL, kubeconfigPath string) (*rest.Config, error) { - envVarName := clientcmd.RecommendedConfigPathEnvVar +func NewClusterConfigIfAvailable(kubeconfig string, context string) (*ClusterConfig, error) { + clusterConfig := NewClusterConfig(kubeconfig, context) - if kubeconfigPath == "" && masterURL == "" && os.Getenv(envVarName) == "" { - // No explicit overrides so attempt to use in cluster config first. + if err := IsClusterAvailableCheck(clusterConfig); err != nil { + return nil, err + } + return clusterConfig, nil +} + +// TODO: Use context and kubeconfig to build a client config. +func GetConfig(kubeconfigPath string, context string) (*rest.Config, error) { + envVarName := clientcmd.RecommendedConfigPathEnvVar + + // No explicit overrides so attempt to use in cluster config first. + if kubeconfigPath == "" && os.Getenv(envVarName) == "" { kubeconfig, err := rest.InClusterConfig() if err == nil { @@ -34,39 +49,56 @@ func GetConfig(masterURL, kubeconfigPath string) (*rest.Config, error) { if kubeconfigPath != "" { if _, err := os.Stat(kubeconfigPath); os.IsNotExist(err) { - // Only use override for kubeconfig file if it actually exists. - - kubeconfigPath = "" + // If kubeconfig is provided but not available, fail + return nil, errors.Wrap(err, "kubeconfig file does not exist") } } loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() loadingRules.ExplicitPath = kubeconfigPath - configOverrides := &clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterURL}} + + configOverrides := &clientcmd.ConfigOverrides{} + if context != "" { + configOverrides.CurrentContext = context + } return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, configOverrides).ClientConfig() } +func (o *ClusterConfig) GetConfig() (*rest.Config, error) { + return GetConfig(o.Kubeconfig, o.Context) +} + func (o *ClusterConfig) GetClient() (*kubernetes.Clientset, error) { - config, err := GetConfig("", o.Kubeconfig) + config, err := GetConfig(o.Kubeconfig, o.Context) if err != nil { - return nil, errors.Wrap(err, "unable to build client config") + return nil, err } return kubernetes.NewForConfig(config) } func (o *ClusterConfig) GetDynamicClient() (dynamic.Interface, error) { - config, err := GetConfig("", o.Kubeconfig) + config, err := GetConfig(o.Kubeconfig, o.Context) if err != nil { - return nil, errors.Wrap(err, "unable to build client config") + return nil, err } return dynamic.NewForConfig(config) } +func (o *ClusterConfig) GetDiscoveryClient() (*discovery.DiscoveryClient, error) { + config, err := GetConfig(o.Kubeconfig, o.Context) + + if err != nil { + return nil, err + } + + return discovery.NewDiscoveryClientForConfig(config) +} + func KubeconfigPath(override string, fallback string) string { if override != "" { return override @@ -80,3 +112,40 @@ func KubeconfigPath(override string, fallback string) string { return fallback } + +func IsClusterAvailableCheck(clusterConfig *ClusterConfig) error { + discoveryClient, err := clusterConfig.GetDiscoveryClient() + if err != nil { + return err + } + + _, err = discoveryClient.ServerVersion() + if err != nil { + return errors.New("Cluster is not available or not reachable") + } + return nil +} + +func CreateLoopbackService(k8sclient *kubernetes.Clientset, domain string) error { + service := apiv1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "loopback", + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeExternalName, + ExternalName: fmt.Sprintf("localhost.%s", domain), + }, + } + + servicesClient := k8sclient.CoreV1().Services("default") + + servicesClient.Delete(context.TODO(), "loopback", *metav1.NewDeleteOptions(0)) + + _, err := servicesClient.Create(context.TODO(), &service, metav1.CreateOptions{}) + + if err != nil { + return errors.Wrap(err, "unable to create localhost loopback service") + } + + return nil +} diff --git a/client-programs/pkg/cluster/kindcluster.go b/client-programs/pkg/cluster/kindcluster.go index 645427428..a95e5d430 100644 --- a/client-programs/pkg/cluster/kindcluster.go +++ b/client-programs/pkg/cluster/kindcluster.go @@ -10,7 +10,6 @@ import ( "path/filepath" "time" - "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" "github.com/docker/docker/client" "github.com/pkg/errors" @@ -20,10 +19,12 @@ import ( "sigs.k8s.io/kind/pkg/cmd" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) type KindClusterConfig struct { - ClusterConfig + Config ClusterConfig + provider *cluster.Provider } func NewKindClusterConfig(kubeconfig string) *KindClusterConfig { @@ -35,25 +36,33 @@ func NewKindClusterConfig(kubeconfig string) *KindClusterConfig { fallback = filepath.Join(home, clientcmd.RecommendedHomeDir, clientcmd.RecommendedFileName) } - return &KindClusterConfig{ClusterConfig{KubeconfigPath(kubeconfig, fallback)}} + provider := cluster.NewProvider( + cluster.ProviderWithLogger(cmd.NewLogger()), + ) + + return &KindClusterConfig{ClusterConfig{KubeconfigPath(kubeconfig, fallback), ""}, provider} } //go:embed kindclusterconfig.yaml.tpl var clusterConfigTemplateData string -func (o *KindClusterConfig) CreateCluster(config *config.InstallationConfig, image string) error { - provider := cluster.NewProvider( - cluster.ProviderWithLogger(cmd.NewLogger()), - ) - - clusters, err := provider.List() +func (o *KindClusterConfig) ClusterExists() (bool, error) { + clusters, err := o.provider.List() if err != nil { - return errors.Wrap(err, "unable to get list of clusters") + return false, errors.Wrap(err, "unable to get list of clusters") } if slices.Contains(clusters, "educates") { - return errors.New("cluster for Educates already exists") + return true, errors.New("cluster for Educates already exists") + } + + return false, nil +} + +func (o *KindClusterConfig) CreateCluster(config *config.InstallationConfig, image string) error { + if exists, err := o.ClusterExists(); !exists && err != nil { + return err } clusterConfigTemplate, err := template.New("kind-cluster-config").Parse(clusterConfigTemplateData) @@ -70,12 +79,21 @@ func (o *KindClusterConfig) CreateCluster(config *config.InstallationConfig, ima return errors.Wrap(err, "failed to generate cluster config") } - if err := provider.Create( + // Save the cluster config to a file + kindConfigPath := filepath.Join(utils.GetEducatesHomeDir(), "educates-cluster-config.yaml") + err = os.WriteFile(kindConfigPath, clusterConfigData.Bytes(), 0644) + if err != nil { + return errors.Wrap(err, "failed to write cluster config to file") + } + // TODO: Make this output only show when verbose is enabled + fmt.Println("Cluster config used is saved to: ", kindConfigPath) + + if err := o.provider.Create( "educates", cluster.CreateWithRawConfig(clusterConfigData.Bytes()), cluster.CreateWithNodeImage(image), cluster.CreateWithWaitForReady(time.Duration(time.Duration(60)*time.Second)), - cluster.CreateWithKubeconfigPath(o.Kubeconfig), + cluster.CreateWithKubeconfigPath(o.Config.Kubeconfig), cluster.CreateWithDisplayUsage(true), cluster.CreateWithDisplaySalutation(true), ); err != nil { @@ -86,13 +104,16 @@ func (o *KindClusterConfig) CreateCluster(config *config.InstallationConfig, ima } func (o *KindClusterConfig) DeleteCluster() error { - provider := cluster.NewProvider( - cluster.ProviderWithLogger(cmd.NewLogger()), - ) + if exists, err := o.ClusterExists(); !exists { + if err != nil { + return err + } + return errors.New("cluster for Educates does not exist") + } fmt.Println("Deleting cluster educates ...") - if err := provider.Delete("educates", o.Kubeconfig); err != nil { + if err := o.provider.Delete("educates", o.Config.Kubeconfig); err != nil { return errors.Wrapf(err, "failed to delete cluster") } @@ -102,18 +123,11 @@ func (o *KindClusterConfig) DeleteCluster() error { func (o *KindClusterConfig) StopCluster() error { ctx := context.Background() - provider := cluster.NewProvider( - cluster.ProviderWithLogger(cmd.NewLogger()), - ) - - clusters, err := provider.List() - - if err != nil { - return errors.Wrap(err, "unable to get list of clusters") - } - - if !slices.Contains(clusters, "educates") { - return errors.New("cluster for Educates doesn't exist") + if exists, err := o.ClusterExists(); !exists { + if err != nil { + return err + } + return errors.New("cluster for Educates does not exist") } cli, err := client.NewClientWithOpts(client.FromEnv) @@ -148,18 +162,42 @@ func (o *KindClusterConfig) StopCluster() error { func (o *KindClusterConfig) StartCluster() error { ctx := context.Background() - provider := cluster.NewProvider( - cluster.ProviderWithLogger(cmd.NewLogger()), - ) + if exists, err := o.ClusterExists(); !exists { + if err != nil { + return err + } + return errors.New("cluster for Educates does not exist") + } - clusters, err := provider.List() + cli, err := client.NewClientWithOpts(client.FromEnv) if err != nil { - return errors.Wrap(err, "unable to get list of clusters") + return errors.Wrap(err, "unable to create docker client") } - if !slices.Contains(clusters, "educates") { - return errors.New("cluster for Educates doesn't exist") + _, err = cli.ContainerInspect(ctx, "educates-control-plane") + + if err != nil { + return errors.Wrap(err, "no container for Educates cluster") + } + + fmt.Println("Starting cluster educates ...") + + if err := cli.ContainerStart(ctx, "educates-control-plane", container.StartOptions{}); err != nil { + return errors.Wrapf(err, "failed to start cluster") + } + + return nil +} + +func (o *KindClusterConfig) ClusterStatus() error { + ctx := context.Background() + + if exists, err := o.ClusterExists(); !exists { + if err != nil { + return err + } + return errors.New("cluster for Educates does not exist") } cli, err := client.NewClientWithOpts(client.FromEnv) @@ -168,16 +206,19 @@ func (o *KindClusterConfig) StartCluster() error { return errors.Wrap(err, "unable to create docker client") } - _, err = cli.ContainerInspect(ctx, "educates-control-plane") + containerJSON, err := cli.ContainerInspect(ctx, "educates-control-plane") if err != nil { return errors.Wrap(err, "no container for Educates cluster") } - fmt.Println("Starting cluster educates ...") - - if err := cli.ContainerStart(ctx, "educates-control-plane", types.ContainerStartOptions{}); err != nil { - return errors.Wrapf(err, "failed to start cluster") + if containerJSON.State.Running { + fmt.Println("Educates cluster is Running") + // if ip, err := config.HostIP(); err == nil { + // fmt.Println(" Cluster IP: ", ip) + // } + } else { + fmt.Println("Educates cluster is NOT Running") } return nil diff --git a/client-programs/pkg/cluster/kindclusterconfig.yaml.tpl b/client-programs/pkg/cluster/kindclusterconfig.yaml.tpl index 964d55519..3bdc2829d 100644 --- a/client-programs/pkg/cluster/kindclusterconfig.yaml.tpl +++ b/client-programs/pkg/cluster/kindclusterconfig.yaml.tpl @@ -1,5 +1,17 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 +{{- if .LocalKindCluster.ApiServer.Address }} +networking: + # WARNING: It is _strongly_ recommended that you keep this the default + # (127.0.0.1) for security reasons. However it is possible to change this. + apiServerAddress: "{{ .LocalKindCluster.ApiServer.Address }}" + {{- if .LocalKindCluster.ApiServer.Port }} + # By default the API server listens on a random open port. + # You may choose a specific port but probably don't need to in most cases. + # Using a random port makes it easier to spin up multiple clusters. + apiServerPort: {{- .LocalKindCluster.ApiServer.Port }} + {{- end }} +{{- end }} nodes: - role: control-plane kubeadmConfigPatches: @@ -39,10 +51,8 @@ nodes: {{- end }} containerdConfigPatches: - |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"] - endpoint = ["http://educates-registry:5000"] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.default.svc.cluster.local"] - endpoint = ["http://educates-registry:5000"] + [plugins."io.containerd.grpc.v1.cri".registry] + config_path = "/etc/containerd/certs.d" {{- if eq .ClusterSecurity.PolicyEngine "pod-security-standards" }} featureGates: PodSecurity: true diff --git a/client-programs/pkg/cmd/admin_cluster_create_cmd.go b/client-programs/pkg/cmd/admin_cluster_create_cmd.go deleted file mode 100644 index ae0b6fe5c..000000000 --- a/client-programs/pkg/cmd/admin_cluster_create_cmd.go +++ /dev/null @@ -1,458 +0,0 @@ -package cmd - -import ( - "context" - _ "embed" - "fmt" - "io" - "os" - "path" - "time" - - "github.com/adrg/xdg" - "github.com/cppforlife/go-cli-ui/ui" - "github.com/docker/docker/api/types" - "github.com/docker/docker/api/types/container" - "github.com/docker/docker/client" - "github.com/docker/go-connections/nat" - "github.com/pkg/errors" - "github.com/spf13/cobra" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/app" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/core" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/tools" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/logger" - "gopkg.in/yaml.v2" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/kubernetes" - "k8s.io/kubectl/pkg/scheme" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/operators" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/registry" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/services" -) - -type AdminClusterCreateOptions struct { - Config string - Kubeconfig string - ClusterImage string - Domain string - PackageRepository string - Version string - KappControllerVersion string - WithServices bool - WithPlatform bool -} - -func (o *AdminClusterCreateOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - fullConfig.ClusterInfrastructure.Provider = "kind" - - if o.Domain != "" { - fullConfig.ClusterIngress.Domain = o.Domain - - fullConfig.ClusterIngress.TLSCertificate = config.TLSCertificateConfig{} - - fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "" - fullConfig.ClusterIngress.TLSCertificateRef.Name = "" - } - - if secretName := CachedSecretForIngressDomain(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.TLSCertificateRef.Name = secretName - } - - if secretName := CachedSecretForCertificateAuthority(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.CACertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.CACertificateRef.Name = secretName - } - - if fullConfig.ClusterIngress.CACertificateRef.Name != "" || fullConfig.ClusterIngress.CACertificate.Certificate != "" { - fullConfig.ClusterIngress.CANodeInjector.Enabled = true - } - - clusterConfig := cluster.NewKindClusterConfig(o.Kubeconfig) - - httpAvailable, err := checkPortAvailability(fullConfig.LocalKindCluster.ListenAddress, []uint{80, 443}) - - if err != nil { - return errors.Wrap(err, "couldn't test whether ports 80/443 available") - } - - if !httpAvailable { - return errors.New("ports 80/443 not available") - } - - err = clusterConfig.CreateCluster(fullConfig, o.ClusterImage) - - if err != nil { - return err - } - - client, err := clusterConfig.GetClient() - - if err != nil { - return err - } - - err = SyncSecretsToCluster(client) - - if err != nil { - return err - } - - confUI := ui.NewConfUI(ui.NewNoopLogger()) - - uiFlags := cmd.UIFlags{ - Color: true, - JSON: false, - NonInteractive: true, - } - - uiFlags.ConfigureUI(confUI) - - defer confUI.Flush() - - configFactory := core.NewConfigFactoryImpl() - configFactory.ConfigurePathResolver(func() (string, error) { return clusterConfig.Kubeconfig, nil }) - configFactory.ConfigureContextResolver(func() (string, error) { return "", nil }) - configFactory.ConfigureYAMLResolver(func() (string, error) { return "", nil }) - - depsFactory := core.NewDepsFactoryImpl(configFactory, confUI) - kappLogger := logger.NewUILogger(confUI) - - kappConfig := app.NewDeployOptions(confUI, depsFactory, kappLogger) - - kappConfig.AppFlags = app.Flags{ - Name: "kapp-controller", - NamespaceFlags: core.NamespaceFlags{ - Name: "default", - }, - } - - var deploymentFiles []string - - if fullConfig.ClusterIngress.CACertificateRef.Name != "" { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") - name := fullConfig.ClusterIngress.CACertificateRef.Name + ".yaml" - certificateFullPath := path.Join(secretsCacheDir, name) - - secretYAML, err := os.ReadFile(certificateFullPath) - - if err != nil { - return errors.Wrap(err, "unable to read CA certificate secret file") - } - - parsedSecret := &apiv1.Secret{} - decoder := scheme.Codecs.UniversalDeserializer() - - _, _, err = decoder.Decode([]byte(secretYAML), nil, parsedSecret) - - if err != nil { - return errors.Wrap(err, "unable to parse CA certificate secret file") - } - - certificateData, found := parsedSecret.Data["ca.crt"] - - if !found { - return errors.New("CA certificate secret file doesn't contain ca.crt") - } - - kappConfigSecret := &apiv1.Secret{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "v1", - Kind: "Secret", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "kapp-controller-config", - Namespace: "kapp-controller", - }, - StringData: map[string]string{ - "caCerts": string(certificateData), - }, - } - - kappConfigObject, err := runtime.DefaultUnstructuredConverter.ToUnstructured(kappConfigSecret) - - if err != nil { - return errors.Wrap(err, "cannot convert kapp-controller config to object") - } - - kappConfigYAML, err := yaml.Marshal(&kappConfigObject) - - if err != nil { - return errors.Wrap(err, "couldn't generate YAML for kapp-controller config") - } - - kappConfigPath := path.Join(configFileDir, "kapp-controller-config.yaml") - - err = os.WriteFile(kappConfigPath, kappConfigYAML, 0644) - - if err != nil { - return errors.Wrap(err, "cannot write kapp-controller config file") - } - - deploymentFiles = append(deploymentFiles, kappConfigPath) - } - - deploymentFiles = append(deploymentFiles, fmt.Sprintf("https://github.com/carvel-dev/kapp-controller/releases/download/v%s/release.yml", o.KappControllerVersion)) - - kappConfig.FileFlags = tools.FileFlags{ - Files: deploymentFiles, - } - - kappConfig.ApplyFlags.ClusterChangeOpts.Wait = true - - kappConfig.ApplyFlags.ApplyingChangesOpts.Concurrency = 5 - - kappConfig.ApplyFlags.WaitingChangesOpts.CheckInterval = time.Duration(1) * time.Second - kappConfig.ApplyFlags.WaitingChangesOpts.Timeout = time.Duration(15) * time.Minute - kappConfig.ApplyFlags.WaitingChangesOpts.Concurrency = 5 - - kappConfig.DeployFlags.ExistingNonLabeledResourcesCheck = false - kappConfig.DeployFlags.ExistingNonLabeledResourcesCheckConcurrency = 5 - kappConfig.DeployFlags.AppChangesMaxToKeep = 5 - - err = kappConfig.Run() - - if err != nil { - return errors.Wrap(err, "failed to deploy kapp-controller") - } - - err = registry.DeployRegistry() - - if err != nil { - return errors.Wrap(err, "failed to deploy registry") - } - - err = registry.LinkRegistryToCluster() - - if err != nil { - return errors.Wrap(err, "failed to link registry to cluster") - } - - if err = registry.UpdateRegistryService(client); err != nil { - return errors.Wrap(err, "failed to create service for registry") - } - - if err = createLoopbackService(client, fullConfig.ClusterIngress.Domain); err != nil { - return err - } - - if !o.WithServices { - return nil - } - - servicesConfig := config.ClusterEssentialsConfig{ - ClusterInfrastructure: fullConfig.ClusterInfrastructure, - ClusterPackages: fullConfig.ClusterPackages, - ClusterSecurity: fullConfig.ClusterSecurity, - } - - if err = services.DeployServices(o.Version, o.PackageRepository, &clusterConfig.ClusterConfig, &servicesConfig); err != nil { - return errors.Wrap(err, "failed to deploy cluster essentials services") - } - - if !o.WithPlatform { - return nil - } - - platformConfig := config.TrainingPlatformConfig{ - ClusterSecurity: fullConfig.ClusterSecurity, - ClusterRuntime: fullConfig.ClusterRuntime, - ClusterIngress: fullConfig.ClusterIngress, - SessionCookies: fullConfig.SessionCookies, - ClusterStorage: fullConfig.ClusterStorage, - ClusterSecrets: fullConfig.ClusterSecrets, - TrainingPortal: fullConfig.TrainingPortal, - WorkshopSecurity: fullConfig.WorkshopSecurity, - ImageRegistry: fullConfig.ImageRegistry, - ImageVersions: fullConfig.ImageVersions, - DockerDaemon: fullConfig.DockerDaemon, - ClusterNetwork: fullConfig.ClusterNetwork, - WorkshopAnalytics: fullConfig.WorkshopAnalytics, - WebsiteStyling: fullConfig.WebsiteStyling, - } - - if err = operators.DeployOperators(o.Version, o.PackageRepository, &clusterConfig.ClusterConfig, &platformConfig); err != nil { - return errors.Wrap(err, "failed to deploy training platform components") - } - - return nil -} - -func (p *ProjectInfo) NewAdminClusterCreateCmd() *cobra.Command { - var o AdminClusterCreateOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "create", - Short: "Creates a local Kubernetes cluster", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) - c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $HOME/.kube/config", - ) - c.Flags().StringVar( - &o.ClusterImage, - "kind-cluster-image", - "", - "docker image to use when booting the kind cluster", - ) - c.Flags().StringVar( - &o.Domain, - "domain", - "", - "wildcard ingress subdomain name for Educates", - ) - c.Flags().StringVar( - &o.PackageRepository, - "package-repository", - p.ImageRepository, - "image repository hosting package bundles", - ) - c.Flags().StringVar( - &o.Version, - "version", - p.Version, - "version of Educates training platform to be installed", - ) - c.Flags().StringVar( - &o.KappControllerVersion, - "kapp-controller-version", - "0.47.0", - "version of kapp-controller operator to be installed", - ) - c.Flags().BoolVar( - &o.WithServices, - "with-services", - true, - "deploy extra cluster services required for Educates", - ) - c.Flags().BoolVar( - &o.WithPlatform, - "with-platform", - true, - "deploy all the Educates training platform components", - ) - - return c -} - -func checkPortAvailability(listenAddress string, ports []uint) (bool, error) { - ctx := context.Background() - - cli, err := client.NewClientWithOpts(client.FromEnv) - - if err != nil { - return false, errors.Wrap(err, "unable to create docker client") - } - - cli.ContainerRemove(ctx, "educates-port-availability-check", types.ContainerRemoveOptions{}) - - reader, err := cli.ImagePull(ctx, "docker.io/library/busybox:latest", types.ImagePullOptions{}) - if err != nil { - return false, errors.Wrap(err, "cannot pull busybox image") - } - - defer reader.Close() - io.Copy(os.Stdout, reader) - - if listenAddress == "" { - listenAddress, err = config.HostIP() - - if err != nil { - listenAddress = "127.0.0.1" - } - } - - hostConfig := &container.HostConfig{ - PortBindings: nat.PortMap{}, - } - - exposedPorts := nat.PortSet{} - - for _, port := range ports { - key := nat.Port(fmt.Sprintf("%d/tcp", port)) - hostConfig.PortBindings[key] = []nat.PortBinding{ - { - HostIP: listenAddress, - HostPort: fmt.Sprintf("%d", port), - }, - } - exposedPorts[key] = struct{}{} - } - - resp, err := cli.ContainerCreate(ctx, &container.Config{ - Image: "docker.io/library/busybox:latest", - Cmd: []string{"/bin/true"}, - Tty: false, - ExposedPorts: exposedPorts, - }, hostConfig, nil, nil, "educates-port-availability-check") - - if err != nil { - return false, errors.Wrap(err, "cannot create busybox container") - } - - defer cli.ContainerRemove(ctx, "educates-port-availability-check", types.ContainerRemoveOptions{}) - - if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil { - return false, errors.Wrap(err, "cannot start busybox container") - } - - statusCh, errCh := cli.ContainerWait(ctx, "educates-port-availability-check", container.WaitConditionNotRunning) - - select { - case err := <-errCh: - if err != nil { - return false, nil - } - case <-statusCh: - } - - return true, nil -} - -func createLoopbackService(k8sclient *kubernetes.Clientset, domain string) error { - service := apiv1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "loopback", - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeExternalName, - ExternalName: fmt.Sprintf("localhost.%s", domain), - }, - } - - servicesClient := k8sclient.CoreV1().Services("default") - - servicesClient.Delete(context.TODO(), "loopback", *metav1.NewDeleteOptions(0)) - - _, err := servicesClient.Create(context.TODO(), &service, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create localhost loopback service") - } - - return nil -} diff --git a/client-programs/pkg/cmd/admin_cmd_group.go b/client-programs/pkg/cmd/admin_cmd_group.go index 9d19af9f0..2fe948908 100644 --- a/client-programs/pkg/cmd/admin_cmd_group.go +++ b/client-programs/pkg/cmd/admin_cmd_group.go @@ -8,7 +8,7 @@ import ( func (p *ProjectInfo) NewAdminCmdGroup() *cobra.Command { var c = &cobra.Command{ Use: "admin", - Short: "Tools for installing Educates on Kubernetes", + Short: "Tools for administering Educates on Kubernetes", } // Use a command group as it allows us to dictate the order in which they @@ -19,13 +19,9 @@ func (p *ProjectInfo) NewAdminCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminClusterCmdGroup(), - p.NewAdminConfigCmdGroup(), - p.NewAdminSecretsCmdGroup(), - p.NewAdminRegistryCmdGroup(), - p.NewAdminResolverCmdGroup(), - p.NewAdminServicesCmdGroup(), p.NewAdminPlatformCmdGroup(), + p.NewAdminLookupCmdGroup(), + p.NewAdminDiagnosticsCmdGroup(), }, }, } diff --git a/client-programs/pkg/cmd/admin_config_reset_cmd.go b/client-programs/pkg/cmd/admin_config_reset_cmd.go deleted file mode 100644 index 39a571d25..000000000 --- a/client-programs/pkg/cmd/admin_config_reset_cmd.go +++ /dev/null @@ -1,27 +0,0 @@ -package cmd - -import ( - "os" - "path" - - "github.com/adrg/xdg" - "github.com/spf13/cobra" -) - -func (p *ProjectInfo) NewAdminConfigResetCmd() *cobra.Command { - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "reset", - Short: "Reset default configuration", - RunE: func(_ *cobra.Command, _ []string) error { - configFileDir := path.Join(xdg.DataHome, "educates") - valuesFile := path.Join(configFileDir, "values.yaml") - - os.Remove(valuesFile) - - return nil - }, - } - - return c -} diff --git a/client-programs/pkg/cmd/admin_config_view_cmd.go b/client-programs/pkg/cmd/admin_config_view_cmd.go deleted file mode 100644 index 511956d60..000000000 --- a/client-programs/pkg/cmd/admin_config_view_cmd.go +++ /dev/null @@ -1,63 +0,0 @@ -package cmd - -import ( - "fmt" - - "github.com/pkg/errors" - "github.com/spf13/cobra" - "gopkg.in/yaml.v2" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" -) - -type AdminConfigViewOptions struct { - Config string -} - -func (o *AdminConfigViewOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - if secretName := CachedSecretForIngressDomain(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.TLSCertificateRef.Name = secretName - } - - if secretName := CachedSecretForCertificateAuthority(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.CACertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.CACertificateRef.Name = secretName - } - - configData, err := yaml.Marshal(&fullConfig) - - if err != nil { - return errors.Wrap(err, "failed to generate installation config") - } - - fmt.Print(string(configData)) - - return nil -} - -func (p *ProjectInfo) NewAdminConfigViewCmd() *cobra.Command { - var o AdminConfigViewOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "view", - Short: "View complete configuration", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) - - return c -} diff --git a/client-programs/pkg/cmd/admin_diagnostics_analyze_cmd.go b/client-programs/pkg/cmd/admin_diagnostics_analyze_cmd.go new file mode 100644 index 000000000..62dc7d21a --- /dev/null +++ b/client-programs/pkg/cmd/admin_diagnostics_analyze_cmd.go @@ -0,0 +1,53 @@ +package cmd + +import ( + "fmt" + + "github.com/spf13/cobra" +) + +type AdminDiagnosticsAnalyzeOptions struct { + File string + Dir string +} + +func (o *AdminDiagnosticsAnalyzeOptions) Run() error { + // clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, "") + + // diagnostics := diagnostics.NewClusterDiagnostics(clusterConfig, o.Dest) + + // if err := diagnostics.Run(); err != nil { + // return err + // } + + return fmt.Errorf("Not implemented yet") +} + +func (p *ProjectInfo) NewAdminDiagnosticsAnalyzeCmd() *cobra.Command { + var o AdminDiagnosticsAnalyzeOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "analyze", + Short: "Analyze diagnostic information for an Educates cluster", + RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + } + + c.Flags().StringVar( + &o.File, + "file", + getDefaultFilename(), + "Path to the diagnostics file is located", + ) + + c.Flags().StringVar( + &o.Dir, + "dir", + "", + "Path to the directory where the diagnostics files are located", + ) + + // c.MarkFlagRequired("dest") + + return c +} diff --git a/client-programs/pkg/cmd/admin_services_cmd_group.go b/client-programs/pkg/cmd/admin_diagnostics_cmd_group.go similarity index 68% rename from client-programs/pkg/cmd/admin_services_cmd_group.go rename to client-programs/pkg/cmd/admin_diagnostics_cmd_group.go index d132c00ac..e447e74d9 100644 --- a/client-programs/pkg/cmd/admin_services_cmd_group.go +++ b/client-programs/pkg/cmd/admin_diagnostics_cmd_group.go @@ -5,10 +5,10 @@ import ( "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminServicesCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewAdminDiagnosticsCmdGroup() *cobra.Command { var c = &cobra.Command{ - Use: "services", - Short: "Install cluster services", + Use: "diagnostics", + Short: "Diagnostic commands for the local Kubernetes cluster", } // Use a command group as it allows us to dictate the order in which they @@ -19,9 +19,8 @@ func (p *ProjectInfo) NewAdminServicesCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminServicesConfigCmdGroup(), - p.NewAdminServicesDeployCmd(), - p.NewAdminServicesDeleteCmd(), + p.NewAdminDiagnosticsCollectCmd(), + p.NewAdminDiagnosticsAnalyzeCmd(), }, }, } diff --git a/client-programs/pkg/cmd/admin_diagnostics_collect_cmd.go b/client-programs/pkg/cmd/admin_diagnostics_collect_cmd.go new file mode 100644 index 000000000..1d78f4b7e --- /dev/null +++ b/client-programs/pkg/cmd/admin_diagnostics_collect_cmd.go @@ -0,0 +1,82 @@ +package cmd + +import ( + "os" + "path/filepath" + + "github.com/mitchellh/go-homedir" + "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/diagnostics" +) + +type AdminDiagnosticsCollectOptions struct { + KubeconfigOptions + Dest string + Verbose bool +} + +func (o *AdminDiagnosticsCollectOptions) Run() error { + clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, o.Context) + + diagnostics := diagnostics.NewClusterDiagnostics(clusterConfig, o.Dest, o.Verbose) + + if err := diagnostics.Run(); err != nil { + return err + } + + return nil +} + +func (p *ProjectInfo) NewAdminDiagnosticsCollectCmd() *cobra.Command { + var o AdminDiagnosticsCollectOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "collect", + Short: "Collect diagnostic information for an Educates cluster", + RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + } + + c.Flags().StringVar( + &o.Kubeconfig, + "kubeconfig", + "", + "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", + ) + + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + + c.Flags().StringVar( + &o.Dest, + "dest", + getDefaultFilename(), + "Path to the directory where the diagnostics files will be generated", + ) + + c.Flags().BoolVar( + &o.Verbose, + "verbose", + false, + "print verbose output", + ) + // c.MarkFlagRequired("dest") + + return c +} + +func getDefaultFilename() string { + dir, err := os.Getwd() + if err != nil { + dir, err = homedir.Dir() + if err != nil { + dir = os.TempDir() + } + } + return filepath.Join(dir, "educates-diagnostics.tar.gz") +} diff --git a/client-programs/pkg/cmd/admin_config_cmd_group.go b/client-programs/pkg/cmd/admin_lookup_cmd_group.go similarity index 70% rename from client-programs/pkg/cmd/admin_config_cmd_group.go rename to client-programs/pkg/cmd/admin_lookup_cmd_group.go index 870acd9b8..d135f43c1 100644 --- a/client-programs/pkg/cmd/admin_config_cmd_group.go +++ b/client-programs/pkg/cmd/admin_lookup_cmd_group.go @@ -5,10 +5,10 @@ import ( "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminConfigCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewAdminLookupCmdGroup() *cobra.Command { var c = &cobra.Command{ - Use: "config", - Short: "Manage configuration files", + Use: "lookup", + Short: "Manage Educates lookup service", } // Use a command group as it allows us to dictate the order in which they @@ -19,9 +19,7 @@ func (p *ProjectInfo) NewAdminConfigCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminConfigEditCmd(), - p.NewAdminConfigViewCmd(), - p.NewAdminConfigResetCmd(), + p.NewAdminLookupKubeconfigCmd(), }, }, } diff --git a/client-programs/pkg/cmd/admin_lookup_kubeconfig_cmd.go b/client-programs/pkg/cmd/admin_lookup_kubeconfig_cmd.go new file mode 100644 index 000000000..29a4dc69b --- /dev/null +++ b/client-programs/pkg/cmd/admin_lookup_kubeconfig_cmd.go @@ -0,0 +1,133 @@ +package cmd + +import ( + "context" + "encoding/base64" + "fmt" + "io/ioutil" + + "github.com/pkg/errors" + "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type LookupConfigOptions struct { + KubeconfigOptions + OutputPath string +} + +func (o *LookupConfigOptions) Run() error { + var err error + + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + if err != nil { + return err + } + + client, err := clusterConfig.GetClient() + + if err != nil { + return err + } + + // We need to fetch the secret called "remote-access-token" from the + // "educates" namespace. This contains a Kubernetes access token secret + // giving access to just the Educates custom resources. + + secretsClient := client.CoreV1().Secrets("educates") + + secret, err := secretsClient.Get(context.TODO(), "remote-access-token", metav1.GetOptions{}) + + if err != nil { + return errors.Wrapf(err, "unable to fetch remote-access secret") + } + + // Within the secret are data fields for "ca.crt" and "token". We need to + // extract these and use them to create a kubeconfig file. Note that there + // is no "server" property in the secret, so when constructing the kubeconfig + // we need to use the server from the same cluster as we are requesting the + // secret from. + + caCrt := secret.Data["ca.crt"] + token := secret.Data["token"] + + // Get the server from the client for Kubernetes cluster access. + + serverScheme := client.CoreV1().RESTClient().Get().URL().Scheme + serverHost := client.CoreV1().RESTClient().Get().URL().Host + + serverUrl := fmt.Sprintf("%s://%s", serverScheme, serverHost) + + // Construct the kubeconfig file. We need to base64 encode the ca.crt file + // as it is a binary file. + + kubeconfig := fmt.Sprintf(`apiVersion: v1 +kind: Config +clusters: +- name: training-platform + cluster: + server: %s + certificate-authority-data: %s +contexts: +- name: training-platform + context: + cluster: training-platform + user: remote-access +current-context: training-platform +users: +- name: remote-access + user: + token: %s +`, serverUrl, base64.StdEncoding.EncodeToString(caCrt), token) + + // Write out the kubeconfig to the output path if provided, otherwise + // print it to stdout. + + if o.OutputPath != "" { + err = ioutil.WriteFile(o.OutputPath, []byte(kubeconfig), 0644) + + if err != nil { + return errors.Wrapf(err, "unable to write kubeconfig to %s", o.OutputPath) + } + } else { + fmt.Print(kubeconfig) + } + + return nil +} + +func (p *ProjectInfo) NewAdminLookupKubeconfigCmd() *cobra.Command { + var o LookupConfigOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "kubeconfig", + Short: "Fetch kubeconfig for lookup service remote access", + RunE: func(cmd *cobra.Command, _ []string) error { + return o.Run() + }, + } + + c.Flags().StringVar( + &o.Kubeconfig, + "kubeconfig", + "", + "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", + ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + c.Flags().StringVarP( + &o.OutputPath, + "output", + "o", + "", + "Path to write Kubeconfig file to", + ) + + return c +} diff --git a/client-programs/pkg/cmd/admin_platform_cmd_group.go b/client-programs/pkg/cmd/admin_platform_cmd_group.go index 4fe98a58c..7bf471f0f 100644 --- a/client-programs/pkg/cmd/admin_platform_cmd_group.go +++ b/client-programs/pkg/cmd/admin_platform_cmd_group.go @@ -8,7 +8,7 @@ import ( func (p *ProjectInfo) NewAdminPlatformCmdGroup() *cobra.Command { var c = &cobra.Command{ Use: "platform", - Short: "Install platform operators", + Short: "Manage Educates installation", } // Use a command group as it allows us to dictate the order in which they @@ -19,9 +19,10 @@ func (p *ProjectInfo) NewAdminPlatformCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminPlatformConfigCmdGroup(), p.NewAdminPlatformDeployCmd(), p.NewAdminPlatformDeleteCmd(), + p.NewAdminPlatformConfigCmd(), + p.NewAdminPlatformValuesCmd(), }, }, } diff --git a/client-programs/pkg/cmd/admin_platform_config_cmd.go b/client-programs/pkg/cmd/admin_platform_config_cmd.go index 3e823baff..448392816 100644 --- a/client-programs/pkg/cmd/admin_platform_config_cmd.go +++ b/client-programs/pkg/cmd/admin_platform_config_cmd.go @@ -1,90 +1,79 @@ package cmd import ( - "context" - "encoding/json" "fmt" - "github.com/pkg/errors" "github.com/spf13/cobra" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "gopkg.in/yaml.v2" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/types" - applycorev1 "k8s.io/client-go/applyconfigurations/core/v1" - "k8s.io/kubectl/pkg/util/templates" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/installer" ) -func (p *ProjectInfo) NewAdminPlatformConfigCmdGroup() *cobra.Command { - var c = &cobra.Command{ - Use: "config", - Short: "Manage platform configuration", - } +var ( + adminPlatformConfigExample = ` + # Show configuration config for local deployment + educates admin platform config --local-config - // Use a command group as it allows us to dictate the order in which they - // are displayed in the help message, as otherwise they are displayed in - // sort order. - - commandGroups := templates.CommandGroups{ - { - Message: "Available Commands:", - Commands: []*cobra.Command{ - p.NewAdminPlatformConfigViewCmd(), - p.NewAdminPlatformConfigUpdateCmd(), - }, - }, - } + # Show configuration config for specific config file + educates admin platform config --config config.yaml - commandGroups.Add(c) + # Get configuration used to deploy to the current cluster + educates admin platform config --from-cluster + educates admin platform config --from-cluster --kubeconfig /path/to/kubeconfig --context my-cluster - templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) + # Get configuration config using locally built educates package (version latest does the same and skips image resolution) + educates admin platform config --config config.yaml --package-repository localhost:5001 --version 0.0.1 + educates admin platform config --config config.yaml --version latest - return c -} + # Get configuration config with different domain (to make copies of the config) + educates admin platform config --local-config --domain cluster1.dev.educates.io > cluster1-config.yaml + educates admin platform config --config config.yaml --domain cluster2.dev.educates.io > cluster2-config.yaml + ` +) -type AdminPlatformConfigViewOptions struct { - Kubeconfig string +type PlatformConfigOptions struct { + KubeconfigOptions + Domain string + Version string + PackageRepository string + LocalConfig bool + FromCluster bool + Verbose bool } -func (o *AdminPlatformConfigViewOptions) Run() error { - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - client, err := clusterConfig.GetClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - secretsClient := client.CoreV1().Secrets("educates-package") +func (o *PlatformConfigOptions) Run() error { + installer := installer.NewInstaller() - valuesSecret, err := secretsClient.Get(context.TODO(), "educates-training-platform-values", metav1.GetOptions{}) - - if err != nil { - return errors.Wrap(err, "platform not deployed") - } + if o.FromCluster { + config, err := installer.GetConfigFromCluster(o.Kubeconfig, o.Context) + if err != nil { + return err + } + fmt.Println(config) + } else { + fullConfig, err := config.ConfigForLocalClusters("", o.Domain, o.LocalConfig) - valuesData, ok := valuesSecret.Data["values.yml"] + if err != nil { + return err + } - if !ok { - return errors.New("no platform configuration found") + config.PrintConfigToStdout(fullConfig) } - fmt.Print(string(valuesData)) - return nil } -func (p *ProjectInfo) NewAdminPlatformConfigViewCmd() *cobra.Command { - var o AdminPlatformConfigViewOptions +func (p *ProjectInfo) NewAdminPlatformConfigCmd() *cobra.Command { + var o PlatformConfigOptions var c = &cobra.Command{ Args: cobra.NoArgs, - Use: "view", - Short: "View platform configuration", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + Use: "config", + Short: "Show config used when deploying the platform", + RunE: func(cmd *cobra.Command, _ []string) error { + return o.Run() + }, + Example: adminPlatformConfigExample, } c.Flags().StringVar( @@ -93,164 +82,52 @@ func (p *ProjectInfo) NewAdminPlatformConfigViewCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) - - return c -} - -type AdminPlatformConfigUpdateOptions struct { - Config string - Reconcile bool - Kubeconfig string -} - -var kappAppResource = schema.GroupVersionResource{Group: "kappctrl.k14s.io", Version: "v1alpha1", Resource: "apps"} - -func (o *AdminPlatformConfigUpdateOptions) Run() error { - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - client, err := clusterConfig.GetClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - secretsClient := client.CoreV1().Secrets("educates-package") - - valuesSecret, err := secretsClient.Get(context.TODO(), "educates-training-platform-values", metav1.GetOptions{}) - - if err != nil { - return errors.Wrap(err, "platform not deployed") - } - - _, ok := valuesSecret.Data["values.yml"] - - if !ok { - return errors.New("no platform configuration found") - } - - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - platformConfig := config.TrainingPlatformConfig{ - ClusterSecurity: fullConfig.ClusterSecurity, - ClusterRuntime: fullConfig.ClusterRuntime, - ClusterIngress: fullConfig.ClusterIngress, - SessionCookies: fullConfig.SessionCookies, - ClusterStorage: fullConfig.ClusterStorage, - ClusterSecrets: fullConfig.ClusterSecrets, - TrainingPortal: fullConfig.TrainingPortal, - WorkshopSecurity: fullConfig.WorkshopSecurity, - ImageRegistry: fullConfig.ImageRegistry, - ImageVersions: fullConfig.ImageVersions, - DockerDaemon: fullConfig.DockerDaemon, - ClusterNetwork: fullConfig.ClusterNetwork, - WorkshopAnalytics: fullConfig.WorkshopAnalytics, - WebsiteStyling: fullConfig.WebsiteStyling, - } - - platformConfigData, err := yaml.Marshal(platformConfig) - - if err != nil { - return errors.Wrap(err, "failed to generate platform configuration") - } - - secretObj := &apiv1.Secret{ - Data: map[string][]byte{}, - } - - secretObj.Data["values.yml"] = platformConfigData - - patch := applycorev1.Secret("educates-training-platform-values", "educates-package").WithType(secretObj.Type).WithData(secretObj.Data) - - _, err = secretsClient.Apply(context.TODO(), patch, metav1.ApplyOptions{FieldManager: "educates-cli", Force: true}) - - if err != nil { - return errors.Wrapf(err, "unable to update platform configuration") - } - - if o.Reconcile { - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - pausePatch := []map[string]interface{}{ - { - "op": "add", - "path": "/spec/paused", - "value": true, - }, - } - - patchJSON, err := json.Marshal(pausePatch) - - if err != nil { - return errors.Wrapf(err, "unable to create patch for deployment") - } - - _, err = appResourceClient.Patch(context.TODO(), "educates-training-platform", types.JSONPatchType, patchJSON, metav1.PatchOptions{}) - - if err != nil { - return errors.Wrapf(err, "unable to pause reconcilation") - } - - unpausePatch := []map[string]interface{}{ - { - "op": "remove", - "path": "/spec/paused", - }, - } - - patchJSON, err = json.Marshal(unpausePatch) - - if err != nil { - return errors.Wrapf(err, "unable to create patch for deployment") - } - - _, err = appResourceClient.Patch(context.TODO(), "educates-training-platform", types.JSONPatchType, patchJSON, metav1.PatchOptions{}) - - if err != nil { - return errors.Wrapf(err, "unable to resume reconcilation") - } - } - - return nil -} - -func (p *ProjectInfo) NewAdminPlatformConfigUpdateCmd() *cobra.Command { - var o AdminPlatformConfigUpdateOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "update", - Short: "Update platform configuration", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - c.Flags().StringVar( - &o.Config, - "config", + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + c.Flags().StringVar( + &o.Domain, + "domain", "", - "path to the installation config file for Educates", + "wildcard ingress subdomain name for Educates", ) c.Flags().BoolVar( - &o.Reconcile, - "reconcile", + &o.Verbose, + "verbose", false, - "trigger reconcilation after configuration update", + "print verbose output", ) c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", + &o.PackageRepository, + "package-repository", + p.ImageRepository, + "image repository hosting package bundles", ) + c.Flags().StringVar( + &o.Version, + "version", + p.Version, + "version to be installed", + ) + c.Flags().BoolVar( + &o.LocalConfig, + "local-config", + false, + "Use local configuration. When used, --config and --domain flags are ignored", + ) + // TODO: From cluster + c.Flags().BoolVar( + &o.FromCluster, + "from-cluster", + false, + "Show the configuration (from the cluster) used when the plaform was deployed", + ) + + c.MarkFlagsMutuallyExclusive("local-config", "from-cluster") + c.MarkFlagsOneRequired("local-config", "from-cluster") return c } diff --git a/client-programs/pkg/cmd/admin_platform_delete_cmd.go b/client-programs/pkg/cmd/admin_platform_delete_cmd.go index 137bcad6d..6d992e5c3 100644 --- a/client-programs/pkg/cmd/admin_platform_delete_cmd.go +++ b/client-programs/pkg/cmd/admin_platform_delete_cmd.go @@ -1,69 +1,69 @@ package cmd import ( + "fmt" + + "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/operators" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/installer" ) -type AdminPlatformDeleteOptions struct { - Config string - Kubeconfig string +type PlatformDeleteOptions struct { + KubeconfigOptions + Verbose bool } -func (o *AdminPlatformDeleteOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) +func (o *PlatformDeleteOptions) Run() error { + fullConfig := config.NewDefaultInstallationConfig() - if err != nil { - return err - } + installer := installer.NewInstaller() + + clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, o.Context) - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + err := installer.Delete(fullConfig, clusterConfig, o.Verbose) - platformConfig := config.TrainingPlatformConfig{ - ClusterSecurity: fullConfig.ClusterSecurity, - ClusterRuntime: fullConfig.ClusterRuntime, - ClusterIngress: fullConfig.ClusterIngress, - SessionCookies: fullConfig.SessionCookies, - ClusterStorage: fullConfig.ClusterStorage, - ClusterSecrets: fullConfig.ClusterSecrets, - TrainingPortal: fullConfig.TrainingPortal, - WorkshopSecurity: fullConfig.WorkshopSecurity, - ImageRegistry: fullConfig.ImageRegistry, - ImageVersions: fullConfig.ImageVersions, - DockerDaemon: fullConfig.DockerDaemon, - ClusterNetwork: fullConfig.ClusterNetwork, - WorkshopAnalytics: fullConfig.WorkshopAnalytics, - WebsiteStyling: fullConfig.WebsiteStyling, + if err != nil { + return errors.Wrap(err, "educates could not be deleted") } - return operators.DeleteOperators(clusterConfig, &platformConfig) + fmt.Println("\nEducates has been deleted succesfully") + + return nil } func (p *ProjectInfo) NewAdminPlatformDeleteCmd() *cobra.Command { - var o AdminPlatformDeleteOptions + var o PlatformDeleteOptions var c = &cobra.Command{ Args: cobra.NoArgs, Use: "delete", - Short: "Delete platform operators", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + Short: "Delete Educates and related cluster services from your cluster", + RunE: func(cmd *cobra.Command, _ []string) error { + return o.Run() + }, } - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) c.Flags().StringVar( &o.Kubeconfig, "kubeconfig", "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + c.Flags().BoolVar( + &o.Verbose, + "verbose", + false, + "print verbose output", + ) return c } diff --git a/client-programs/pkg/cmd/admin_platform_deploy_cmd.go b/client-programs/pkg/cmd/admin_platform_deploy_cmd.go index a52419f23..a573b2d5d 100644 --- a/client-programs/pkg/cmd/admin_platform_deploy_cmd.go +++ b/client-programs/pkg/cmd/admin_platform_deploy_cmd.go @@ -1,80 +1,133 @@ package cmd import ( + "fmt" + + "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/operators" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/installer" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/secrets" +) + +var ( + adminPlatformDeployExample = ` + # Deploy educates platform + educates admin platform deploy --config config.yaml + + # Get deployment descriptors for a specific provider with provided config + educates admin platform deploy --config config.yaml --dry-run + + # Get deployment descriptors for local cluster default installation + educates admin platform deploy --local-config --dry-run + + # Deploy educates platform with verbose output + educates admin platform deploy --config config.yaml --verbose + + # Deploy educates platform with an alternate domain + educates admin platform deploy --config config.yaml --domain test.educates.io + educates admin platform deploy --local-config --domain test.educates.io + + # Deploy educates platform without resolving images via kbld (using latest images) + educates admin platform deploy --config config.yaml --skip-image-resolution + + # Deploy educates platform showing the changes to be applied to the cluster + educates admin platform deploy --config config.yaml --show-changes + + # Install educates with bundle from different repository + educates admin platform deploy --config config.yaml --package-repository ghcr.io/jorgemoralespou --version installer-clean + + # Install educates when locally built (version latest does the same and skips image resolution) + educates admin platform deploy --config config.yaml --package-repository localhost:5001 --version 0.0.1 + educates admin platform deploy --config config.yaml --version latest + + # Install educates on a specific cluster + educates admin platform deploy --config config.yaml --kubeconfig /path/to/kubeconfig --context my-cluster + educates admin platform deploy --config config.yaml --kubeconfig /path/to/kubeconfig + educates admin platform deploy --config config.yaml --context my-cluster + ` ) -type AdminPlatformDeployOptions struct { - Config string - Kubeconfig string - Provider string - Domain string - Version string - PackageRepository string +type PlatformDeployOptions struct { + KubeconfigOptions + Config string + Domain string + DryRun bool + Version string + PackageRepository string + Verbose bool + LocalConfig bool + skipImageResolution bool + showChanges bool } -func (o *AdminPlatformDeployOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) +func (o *PlatformDeployOptions) Run() error { + installer := installer.NewInstaller() + + fullConfig, err := config.ConfigForLocalClusters(o.Config, o.Domain, o.LocalConfig) if err != nil { return err } - if o.Domain != "" { - fullConfig.ClusterIngress.Domain = o.Domain + if o.DryRun { + if err = installer.DryRun(o.Version, o.PackageRepository, fullConfig, o.Verbose, false, o.skipImageResolution); err != nil { + return errors.Wrap(err, "educates could not be installed") + } + return nil + } - fullConfig.ClusterIngress.TLSCertificate = config.TLSCertificateConfig{} + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + if err != nil { + return err + } - fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "" - fullConfig.ClusterIngress.TLSCertificateRef.Name = "" + client, err := clusterConfig.GetClient() + if err != nil { + return err } - if secretName := CachedSecretForIngressDomain(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.TLSCertificateRef.Name = secretName + // This creates the educates-secrets namespace if it doesn't exist and creates the + // wildcard and CA secrets in there + if err = secrets.SyncLocalCachedSecretsToCluster(client); err != nil { + return err } - if secretName := CachedSecretForCertificateAuthority(fullConfig.ClusterIngress.Domain); secretName != "" { - fullConfig.ClusterIngress.CACertificateRef.Namespace = "educates-secrets" - fullConfig.ClusterIngress.CACertificateRef.Name = secretName + err = installer.Run(o.Version, o.PackageRepository, fullConfig, clusterConfig, o.Verbose, false, o.skipImageResolution, o.showChanges) + if err != nil { + return errors.Wrap(err, "educates could not be installed") } - fullConfig.ClusterInfrastructure.Provider = o.Provider - - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - platformConfig := config.TrainingPlatformConfig{ - ClusterSecurity: fullConfig.ClusterSecurity, - ClusterRuntime: fullConfig.ClusterRuntime, - ClusterIngress: fullConfig.ClusterIngress, - SessionCookies: fullConfig.SessionCookies, - ClusterStorage: fullConfig.ClusterStorage, - ClusterSecrets: fullConfig.ClusterSecrets, - TrainingPortal: fullConfig.TrainingPortal, - WorkshopSecurity: fullConfig.WorkshopSecurity, - ImageRegistry: fullConfig.ImageRegistry, - ImageVersions: fullConfig.ImageVersions, - DockerDaemon: fullConfig.DockerDaemon, - ClusterNetwork: fullConfig.ClusterNetwork, - WorkshopAnalytics: fullConfig.WorkshopAnalytics, - WebsiteStyling: fullConfig.WebsiteStyling, + // This is for hugo livereload (educates serve-workshop). Reconfigures the loopback service + // We do create this loopback service for all providers except vcluster, as vcluster will map + // it's own service to the host's loopback service to use the host's single loopback service + if fullConfig.ClusterInfrastructure.Provider != "vcluster" { + if err = cluster.CreateLoopbackService(client, fullConfig.ClusterIngress.Domain); err != nil { + return err + } } - return operators.DeployOperators(o.Version, o.PackageRepository, clusterConfig, &platformConfig) + fmt.Println("\nEducates has been installed succesfully") + + return nil } func (p *ProjectInfo) NewAdminPlatformDeployCmd() *cobra.Command { - var o AdminPlatformDeployOptions + var o PlatformDeployOptions var c = &cobra.Command{ Args: cobra.NoArgs, Use: "deploy", - Short: "Deploy platform operators", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + Short: "Install Educates and related cluster services onto your cluster in an imperative manner", + RunE: func(cmd *cobra.Command, _ []string) error { + if o.LocalConfig { + o.Config = "" + } + return o.Run() + }, + Example: adminPlatformDeployExample, } c.Flags().StringVar( @@ -90,10 +143,10 @@ func (p *ProjectInfo) NewAdminPlatformDeployCmd() *cobra.Command { "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) c.Flags().StringVar( - &o.Provider, - "provider", - "kind", - "infastructure provider deployment is being made to", + &o.Context, + "context", + "", + "Context to use from Kubeconfig", ) c.Flags().StringVar( &o.Domain, @@ -101,6 +154,18 @@ func (p *ProjectInfo) NewAdminPlatformDeployCmd() *cobra.Command { "", "wildcard ingress subdomain name for Educates", ) + c.Flags().BoolVar( + &o.DryRun, + "dry-run", + false, + "prints to stdout the yaml that would be deployed to the cluster", + ) + c.Flags().BoolVar( + &o.Verbose, + "verbose", + false, + "print verbose output", + ) c.Flags().StringVar( &o.PackageRepository, "package-repository", @@ -113,6 +178,26 @@ func (p *ProjectInfo) NewAdminPlatformDeployCmd() *cobra.Command { p.Version, "version to be installed", ) + c.Flags().BoolVar( + &o.LocalConfig, + "local-config", + false, + "Use local configuration. When used, --config and --domain flags are ignored", + ) + c.Flags().BoolVar( + &o.skipImageResolution, + "skip-image-resolution", + false, + "skips resolution of referenced images so that all will be fetched from their original location", + ) + c.Flags().BoolVar( + &o.showChanges, + "show-changes", + false, + "shows the diffs to be applied to the cluster when running the install", + ) + c.MarkFlagsMutuallyExclusive("config", "local-config") + c.MarkFlagsOneRequired("config", "local-config") return c } diff --git a/client-programs/pkg/cmd/admin_platform_values_cmd.go b/client-programs/pkg/cmd/admin_platform_values_cmd.go new file mode 100644 index 000000000..45559e2fc --- /dev/null +++ b/client-programs/pkg/cmd/admin_platform_values_cmd.go @@ -0,0 +1,146 @@ +package cmd + +import ( + "fmt" + + "github.com/pkg/errors" + "github.com/spf13/cobra" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/installer" +) + +var ( + adminPlatformValuesExample = ` + # Show configuration values for local deployment + educates admin platform values --local-config + + # Show configuration values for specific config file + educates admin platform values --config config.yaml + + # Get configuration used to deploy to the current cluster + educates admin platform values --from-cluster + educates admin platform values --from-cluster --kubeconfig /path/to/kubeconfig --context my-cluster + + # Get configuration values using locally built educates package (version latest does the same and skips image resolution) + educates admin platform values --config config.yaml --package-repository localhost:5001 --version 0.0.1 + educates admin platform values --config config.yaml --version latest + + # Get configuration values with different domain (to make copies of the config) + educates admin platform values --local-config --domain cluster1.dev.educates.io > cluster1-config.yaml + educates admin platform values --config config.yaml --domain cluster2.dev.educates.io > cluster2-config.yaml + ` +) + +type PlatformValuesOptions struct { + KubeconfigOptions + Config string + Domain string + Version string + PackageRepository string + LocalConfig bool + FromCluster bool + Verbose bool +} + +func (o *PlatformValuesOptions) Run() error { + installer := installer.NewInstaller() + + if o.FromCluster { + config, err := installer.GetValuesFromCluster(o.Kubeconfig, o.Context) + if err != nil { + return err + } + fmt.Println(config) + } else { + fullConfig, err := config.ConfigForLocalClusters(o.Config, o.Domain, o.LocalConfig) + + if err != nil { + return err + } + + if err := installer.DryRun(o.Version, o.PackageRepository, fullConfig, o.Verbose, true, true); err != nil { + return errors.Wrap(err, "educates config could not be processed") + } + } + + return nil +} + +func (p *ProjectInfo) NewAdminPlatformValuesCmd() *cobra.Command { + var o PlatformValuesOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "values", + Short: "Show values to be applied when deploying the platform", + RunE: func(cmd *cobra.Command, _ []string) error { + if o.LocalConfig { + o.Config = "" + } + return o.Run() + }, + Example: adminPlatformValuesExample, + } + + c.Flags().StringVar( + &o.Config, + "config", + "", + "path to the installation config file for Educates", + ) + c.Flags().StringVar( + &o.Kubeconfig, + "kubeconfig", + "", + "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", + ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + c.Flags().StringVar( + &o.Domain, + "domain", + "", + "wildcard ingress subdomain name for Educates", + ) + c.Flags().BoolVar( + &o.Verbose, + "verbose", + false, + "print verbose output", + ) + c.Flags().StringVar( + &o.PackageRepository, + "package-repository", + p.ImageRepository, + "image repository hosting package bundles", + ) + c.Flags().StringVar( + &o.Version, + "version", + p.Version, + "version to be installed", + ) + c.Flags().BoolVar( + &o.LocalConfig, + "local-config", + false, + "Use local configuration. When used, --config and --domain flags are ignored", + ) + // TODO: From cluster + c.Flags().BoolVar( + &o.FromCluster, + "from-cluster", + false, + "Show the configuration (from the cluster) used when the plaform was deployed", + ) + + c.MarkFlagsMutuallyExclusive("local-config", "config", "from-cluster") + c.MarkFlagsOneRequired("config", "local-config", "from-cluster") + + return c +} diff --git a/client-programs/pkg/cmd/admin_secrets_export_cmd.go b/client-programs/pkg/cmd/admin_secrets_export_cmd.go deleted file mode 100644 index b10e3bbf8..000000000 --- a/client-programs/pkg/cmd/admin_secrets_export_cmd.go +++ /dev/null @@ -1,70 +0,0 @@ -package cmd - -import ( - "fmt" - "os" - "path" - "strings" - - "github.com/adrg/xdg" - "github.com/pkg/errors" - "github.com/spf13/cobra" - "golang.org/x/exp/slices" -) - -func (p *ProjectInfo) NewAdminSecretsExportCmd() *cobra.Command { - var c = &cobra.Command{ - Args: cobra.ArbitraryArgs, - Use: "export [NAME]", - Short: "Export secrets in the cache", - RunE: func(_ *cobra.Command, args []string) error { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") - - err := os.MkdirAll(secretsCacheDir, os.ModePerm) - - if err != nil { - return errors.Wrapf(err, "unable to create secrets cache directory") - } - - files, err := os.ReadDir(secretsCacheDir) - - if err != nil { - return errors.Wrapf(err, "unable to read secrets cache directory") - } - - count := 0 - - for _, f := range files { - if strings.HasSuffix(f.Name(), ".yaml") { - name := strings.TrimSuffix(f.Name(), ".yaml") - fullPath := path.Join(secretsCacheDir, f.Name()) - - if len(args) == 0 || slices.Contains(args, name) { - yamlData, err := os.ReadFile(fullPath) - - if err != nil { - continue - } - - if len(yamlData) == 0 || string(yamlData) == "\n" { - continue - } - - if count != 0 { - fmt.Println("---") - } - - fmt.Print(string(yamlData)) - - count = count + 1 - } - } - } - - return nil - }, - } - - return c -} diff --git a/client-programs/pkg/cmd/admin_services_config_cmd.go b/client-programs/pkg/cmd/admin_services_config_cmd.go deleted file mode 100644 index e3e6a81de..000000000 --- a/client-programs/pkg/cmd/admin_services_config_cmd.go +++ /dev/null @@ -1,252 +0,0 @@ -package cmd - -import ( - "context" - "encoding/json" - "fmt" - - "github.com/pkg/errors" - "github.com/spf13/cobra" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "gopkg.in/yaml.v2" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - applycorev1 "k8s.io/client-go/applyconfigurations/core/v1" - "k8s.io/kubectl/pkg/util/templates" -) - -func (p *ProjectInfo) NewAdminServicesConfigCmdGroup() *cobra.Command { - var c = &cobra.Command{ - Use: "config", - Short: "Manage services configuration", - } - - // Use a command group as it allows us to dictate the order in which they - // are displayed in the help message, as otherwise they are displayed in - // sort order. - - commandGroups := templates.CommandGroups{ - { - Message: "Available Commands:", - Commands: []*cobra.Command{ - p.NewAdminServicesConfigViewCmd(), - p.NewAdminServicesConfigUpdateCmd(), - }, - }, - } - - commandGroups.Add(c) - - templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) - - return c -} - -type AdminServicesConfigViewOptions struct { - Kubeconfig string -} - -func (o *AdminServicesConfigViewOptions) Run() error { - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - client, err := clusterConfig.GetClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - secretsClient := client.CoreV1().Secrets("educates-package") - - valuesSecret, err := secretsClient.Get(context.TODO(), "educates-cluster-essentials-values", metav1.GetOptions{}) - - if err != nil { - return errors.Wrap(err, "services not deployed") - } - - valuesData, ok := valuesSecret.Data["values.yml"] - - if !ok { - return errors.New("no services configuration found") - } - - fmt.Print(string(valuesData)) - - return nil -} - -func (p *ProjectInfo) NewAdminServicesConfigViewCmd() *cobra.Command { - var o AdminServicesConfigViewOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "view", - Short: "View services configuration", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", - ) - - return c -} - -type AdminServicesConfigUpdateOptions struct { - Config string - Reconcile bool - Kubeconfig string -} - -func (o *AdminServicesConfigUpdateOptions) Run() error { - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - client, err := clusterConfig.GetClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - secretsClient := client.CoreV1().Secrets("educates-package") - - valuesSecret, err := secretsClient.Get(context.TODO(), "educates-cluster-essentials-values", metav1.GetOptions{}) - - if err != nil { - return errors.Wrap(err, "services not deployed") - } - - valuesData, ok := valuesSecret.Data["values.yml"] - - if !ok { - return errors.New("no services configuration found") - } - - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - var valuesObj config.ClusterEssentialsConfig - - err = yaml.Unmarshal(valuesData, &valuesObj) - - if err != nil { - return errors.Wrap(err, "invalid services configuration") - } - - fullConfig.ClusterInfrastructure = valuesObj.ClusterInfrastructure - - servicesConfig := config.ClusterEssentialsConfig{ - ClusterInfrastructure: fullConfig.ClusterInfrastructure, - ClusterPackages: fullConfig.ClusterPackages, - ClusterSecurity: fullConfig.ClusterSecurity, - } - - servicesConfigData, err := yaml.Marshal(servicesConfig) - - if err != nil { - return errors.Wrap(err, "failed to generate services configuration") - } - - secretObj := &apiv1.Secret{ - Data: map[string][]byte{}, - } - - secretObj.Data["values.yml"] = servicesConfigData - - patch := applycorev1.Secret("educates-cluster-essentials-values", "educates-package").WithType(secretObj.Type).WithData(secretObj.Data) - - _, err = secretsClient.Apply(context.TODO(), patch, metav1.ApplyOptions{FieldManager: "educates-cli", Force: true}) - - if err != nil { - return errors.Wrapf(err, "unable to update services configuration") - } - - if o.Reconcile { - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - pausePatch := []map[string]interface{}{ - { - "op": "add", - "path": "/spec/paused", - "value": true, - }, - } - - patchJSON, err := json.Marshal(pausePatch) - - if err != nil { - return errors.Wrapf(err, "unable to create patch for deployment") - } - - _, err = appResourceClient.Patch(context.TODO(), "educates-cluster-essentials", types.JSONPatchType, patchJSON, metav1.PatchOptions{}) - - if err != nil { - return errors.Wrapf(err, "unable to pause reconcilation") - } - - unpausePatch := []map[string]interface{}{ - { - "op": "remove", - "path": "/spec/paused", - }, - } - - patchJSON, err = json.Marshal(unpausePatch) - - if err != nil { - return errors.Wrapf(err, "unable to create patch for deployment") - } - - _, err = appResourceClient.Patch(context.TODO(), "educates-cluster-essentials", types.JSONPatchType, patchJSON, metav1.PatchOptions{}) - - if err != nil { - return errors.Wrapf(err, "unable to resume reconcilation") - } - } - - return nil -} - -func (p *ProjectInfo) NewAdminServicesConfigUpdateCmd() *cobra.Command { - var o AdminServicesConfigUpdateOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "update", - Short: "Update services configuration", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) - c.Flags().BoolVar( - &o.Reconcile, - "reconcile", - false, - "trigger reconcilation after configuration update", - ) - c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", - ) - - return c -} diff --git a/client-programs/pkg/cmd/admin_services_delete_cmd.go b/client-programs/pkg/cmd/admin_services_delete_cmd.go deleted file mode 100644 index 079e00560..000000000 --- a/client-programs/pkg/cmd/admin_services_delete_cmd.go +++ /dev/null @@ -1,58 +0,0 @@ -package cmd - -import ( - "github.com/spf13/cobra" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/services" -) - -type AdminServicesDeleteOptions struct { - Config string - Kubeconfig string -} - -func (o *AdminServicesDeleteOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - servicesConfig := config.ClusterEssentialsConfig{ - ClusterInfrastructure: fullConfig.ClusterInfrastructure, - ClusterPackages: fullConfig.ClusterPackages, - ClusterSecurity: fullConfig.ClusterSecurity, - } - - return services.DeleteServices(clusterConfig, &servicesConfig) -} - -func (p *ProjectInfo) NewAdminServicesDeleteCmd() *cobra.Command { - var o AdminServicesDeleteOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "delete", - Short: "Delete cluster services", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) - c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", - ) - - return c -} diff --git a/client-programs/pkg/cmd/admin_services_deploy_cmd.go b/client-programs/pkg/cmd/admin_services_deploy_cmd.go deleted file mode 100644 index 5d7dbc853..000000000 --- a/client-programs/pkg/cmd/admin_services_deploy_cmd.go +++ /dev/null @@ -1,83 +0,0 @@ -package cmd - -import ( - "github.com/spf13/cobra" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/services" -) - -type AdminServicesDeployOptions struct { - Config string - Kubeconfig string - Provider string - Version string - PackageRepository string -} - -func (o *AdminServicesDeployOptions) Run() error { - fullConfig, err := config.NewInstallationConfigFromFile(o.Config) - - if err != nil { - return err - } - - fullConfig.ClusterInfrastructure.Provider = o.Provider - - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - servicesConfig := config.ClusterEssentialsConfig{ - ClusterInfrastructure: fullConfig.ClusterInfrastructure, - ClusterPackages: fullConfig.ClusterPackages, - ClusterSecurity: fullConfig.ClusterSecurity, - } - - return services.DeployServices(o.Version, o.PackageRepository, clusterConfig, &servicesConfig) -} - -func (p *ProjectInfo) NewAdminServicesDeployCmd() *cobra.Command { - var o AdminServicesDeployOptions - - var c = &cobra.Command{ - Args: cobra.NoArgs, - Use: "deploy", - Short: "Deploy cluster services", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, - } - - c.Flags().StringVar( - &o.Config, - "config", - "", - "path to the installation config file for Educates", - ) - c.Flags().StringVar( - &o.Kubeconfig, - "kubeconfig", - "", - "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", - ) - c.Flags().StringVar( - &o.Provider, - "provider", - "", - "infastructure provider deployment is being made to", - ) - c.Flags().StringVar( - &o.PackageRepository, - "package-repository", - p.ImageRepository, - "image repository hosting package bundles", - ) - c.Flags().StringVar( - &o.Version, - "version", - p.Version, - "version to be installed", - ) - - c.MarkFlagRequired("provider") - - return c -} diff --git a/client-programs/pkg/cmd/cluster_portal_create_cmd.go b/client-programs/pkg/cmd/cluster_portal_create_cmd.go index 5103e2d7a..9494ceb28 100644 --- a/client-programs/pkg/cmd/cluster_portal_create_cmd.go +++ b/client-programs/pkg/cmd/cluster_portal_create_cmd.go @@ -2,6 +2,7 @@ package cmd import ( "context" + "strings" "github.com/pkg/errors" "github.com/spf13/cobra" @@ -13,12 +14,13 @@ import ( ) type ClusterConfigViewOptions struct { - Kubeconfig string + KubeconfigOptions Portal string Capacity uint Password string ThemeName string CookieDomain string + Labels []string } func (o *ClusterConfigViewOptions) Run(isPasswordSet bool) error { @@ -30,7 +32,11 @@ func (o *ClusterConfigViewOptions) Run(isPasswordSet bool) error { o.Portal = "educates-cli" } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -40,7 +46,7 @@ func (o *ClusterConfigViewOptions) Run(isPasswordSet bool) error { // Update the training portal, creating it if necessary. - err = createTrainingPortal(dynamicClient, o.Portal, o.Capacity, o.Password, isPasswordSet, o.ThemeName, o.CookieDomain) + err = createTrainingPortal(dynamicClient, o.Portal, o.Capacity, o.Password, isPasswordSet, o.ThemeName, o.CookieDomain, o.Labels) if err != nil { return err @@ -69,6 +75,12 @@ func (p *ProjectInfo) NewClusterPortalCreateCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", @@ -100,11 +112,18 @@ func (p *ProjectInfo) NewClusterPortalCreateCmd() *cobra.Command { "", "override cookie domain used by training portal and workshops", ) + c.Flags().StringSliceVarP( + &o.Labels, + "labels", + "l", + []string{}, + "label overrides for portal", + ) return c } -func createTrainingPortal(client dynamic.Interface, portal string, capacity uint, password string, isPasswordSet bool, themeName string, cookieDomain string) error { +func createTrainingPortal(client dynamic.Interface, portal string, capacity uint, password string, isPasswordSet bool, themeName string, cookieDomain string, labels []string) error { trainingPortalClient := client.Resource(trainingPortalResource) _, err := trainingPortalClient.Get(context.TODO(), portal, metav1.GetOptions{}) @@ -123,6 +142,21 @@ func createTrainingPortal(client dynamic.Interface, portal string, capacity uint password = randomPassword(12) } + type LabelDetails struct { + Name string `json:"name"` + Value string `json:"value"` + } + + var labelOverrides []LabelDetails + + for _, value := range labels { + parts := strings.SplitN(value, "=", 2) + labelOverrides = append(labelOverrides, LabelDetails{ + Name: parts[0], + Value: parts[1], + }) + } + trainingPortal.SetUnstructuredContent(map[string]interface{}{ "apiVersion": "training.educates.dev/v1beta1", "kind": "TrainingPortal", @@ -164,6 +198,7 @@ func createTrainingPortal(client dynamic.Interface, portal string, capacity uint }{ Domain: cookieDomain, }, + "labels": labelOverrides, }, "workshops": []interface{}{}, }, diff --git a/client-programs/pkg/cmd/cluster_portal_delete_cmd.go b/client-programs/pkg/cmd/cluster_portal_delete_cmd.go index db876e923..fd7f70b76 100644 --- a/client-programs/pkg/cmd/cluster_portal_delete_cmd.go +++ b/client-programs/pkg/cmd/cluster_portal_delete_cmd.go @@ -11,8 +11,8 @@ import ( ) type ClusterPortalDeleteOptions struct { - Kubeconfig string - Portal string + KubeconfigOptions + Portal string } func (o *ClusterPortalDeleteOptions) Run() error { @@ -24,7 +24,11 @@ func (o *ClusterPortalDeleteOptions) Run() error { o.Portal = "educates-cli" } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -65,6 +69,12 @@ func (p *ProjectInfo) NewClusterPortalDeleteCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_portal_list_cmd.go b/client-programs/pkg/cmd/cluster_portal_list_cmd.go index add9c7973..872dc45ee 100644 --- a/client-programs/pkg/cmd/cluster_portal_list_cmd.go +++ b/client-programs/pkg/cmd/cluster_portal_list_cmd.go @@ -15,13 +15,17 @@ import ( ) type ClusterPortalListOptions struct { - Kubeconfig string + KubeconfigOptions } func (o *ClusterPortalListOptions) Run() error { var err error - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -81,5 +85,12 @@ func (p *ProjectInfo) NewClusterPortalListCmd() *cobra.Command { "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + return c } diff --git a/client-programs/pkg/cmd/cluster_portal_open_cmd.go b/client-programs/pkg/cmd/cluster_portal_open_cmd.go index 44f3d0c27..a34033a6a 100644 --- a/client-programs/pkg/cmd/cluster_portal_open_cmd.go +++ b/client-programs/pkg/cmd/cluster_portal_open_cmd.go @@ -19,9 +19,9 @@ import ( ) type ClusterPortalOpenOptions struct { - Kubeconfig string - Admin bool - Portal string + KubeconfigOptions + Admin bool + Portal string } func (o *ClusterPortalOpenOptions) Run() error { @@ -33,7 +33,11 @@ func (o *ClusterPortalOpenOptions) Run() error { o.Portal = "educates-cli" } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -135,6 +139,12 @@ func (p *ProjectInfo) NewClusterPortalOpenCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().BoolVar( &o.Admin, "admin", diff --git a/client-programs/pkg/cmd/cluster_portal_password_cmd.go b/client-programs/pkg/cmd/cluster_portal_password_cmd.go index 01ee5644f..142ebb0b1 100644 --- a/client-programs/pkg/cmd/cluster_portal_password_cmd.go +++ b/client-programs/pkg/cmd/cluster_portal_password_cmd.go @@ -15,9 +15,9 @@ import ( ) type ClusterPortalPasswordOptions struct { - Kubeconfig string - Admin bool - Portal string + KubeconfigOptions + Admin bool + Portal string } func (o *ClusterPortalPasswordOptions) Run() error { @@ -29,7 +29,11 @@ func (o *ClusterPortalPasswordOptions) Run() error { o.Portal = "educates-cli" } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -90,6 +94,12 @@ func (p *ProjectInfo) NewClusterPortalPasswordCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().BoolVar( &o.Admin, "admin", diff --git a/client-programs/pkg/cmd/cluster_session_extend_cmd.go b/client-programs/pkg/cmd/cluster_session_extend_cmd.go index 728343ace..337cac675 100644 --- a/client-programs/pkg/cmd/cluster_session_extend_cmd.go +++ b/client-programs/pkg/cmd/cluster_session_extend_cmd.go @@ -1,177 +1,42 @@ package cmd import ( - "context" - "encoding/base64" - "encoding/json" "fmt" - "io" - "net/http" - "net/url" - "strings" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/educatesrestapi" ) type ClusterSessionExtendOptions struct { - Kubeconfig string - Portal string - Name string + KubeconfigOptions + Portal string + Name string } func (o *ClusterSessionExtendOptions) Run() error { var err error - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - trainingPortalClient := dynamicClient.Resource(trainingPortalResource) - - trainingPortal, err := trainingPortalClient.Get(context.TODO(), o.Portal, metav1.GetOptions{}) - - if k8serrors.IsNotFound(err) { - fmt.Println("No session found.") - return nil - } - - portalUrl, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "url") - - clientId, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "id") - clientSecret, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "secret") - - username, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "username") - password, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "password") - - if portalUrl == "" { - return errors.New("invalid URL endpoint in training portal") - } - - if username == "" || password == "" { - return errors.New("invalid credentials in training portal") - } - - form := url.Values{} - - form.Add("grant_type", "password") - form.Add("username", username) - form.Add("password", password) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/token/", portalUrl), strings.NewReader(form.Encode())) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - credentials := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))) - - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Basic %s", credentials)) - - res, err := http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode != 200 { - return errors.New("cannot login to training portal") - } - - resBody, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrapf(err, "cannot read response to token request") - } - - type AuthDetails struct { - AccessToken string `json:"access_token"` - ExpiresIn int `json:"expires_in"` - TokenType string `json:"token_type"` - Scope string `json:"scope"` - RefreshToken string `json:"refresh_token"` - } - - var auth AuthDetails - - err = json.Unmarshal(resBody, &auth) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) if err != nil { - return errors.Wrapf(err, "cannot decode auth details") + return err } - cleanupFunc := func() { - form = url.Values{} - - form.Add("token", auth.AccessToken) - form.Add("client_id", clientId) - form.Add("client_secret", clientSecret) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/revoke-token/", portalUrl), strings.NewReader(form.Encode())) - - if err == nil { - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - _, _ = http.DefaultClient.Do(req) - } - } - - defer cleanupFunc() - - req, err = http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/extend/", portalUrl, o.Name), nil) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - res, err = http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode == 400 || res.StatusCode == 404 { - fmt.Println("No session found.") - return nil - } - - if res.StatusCode != 200 { - return errors.New("cannot execute session extension against training portal") - } - - resBody, err = io.ReadAll(res.Body) - + catalogApiRequester := educatesrestapi.NewWorkshopsCatalogRequester( + clusterConfig, + o.Portal, + ) + logout, err := catalogApiRequester.Login() + defer logout() if err != nil { - return errors.Wrapf(err, "cannot read response to extend request") - } - - type SessionDetails struct { - Started string `json:"started"` - Expires string `json:"expires"` - Expiring bool `json:"expiring"` - Countdown int `json:"countdown"` - Extendable bool `json:"extendable"` - Status string `json:"status"` + return errors.Wrap(err, "failed to login to training portal") } - var details SessionDetails - - err = json.Unmarshal(resBody, &details) - + details, err := catalogApiRequester.ExtendWorkshopSession(o.Name) if err != nil { - return errors.Wrapf(err, "cannot decode session details") + return err } fmt.Println("Started:", details.Started) @@ -200,6 +65,12 @@ func (p *ProjectInfo) NewClusterSessionExtendCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_session_list_cmd.go b/client-programs/pkg/cmd/cluster_session_list_cmd.go index 4b7d37b64..e6bf8d86f 100644 --- a/client-programs/pkg/cmd/cluster_session_list_cmd.go +++ b/client-programs/pkg/cmd/cluster_session_list_cmd.go @@ -16,7 +16,7 @@ import ( ) type ClusterSessionListOptions struct { - Kubeconfig string + KubeconfigOptions Portal string Environment string } @@ -26,7 +26,11 @@ var workshopSessionResource = schema.GroupVersionResource{Group: "training.educa func (o *ClusterSessionListOptions) Run() error { var err error - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -107,6 +111,12 @@ func (p *ProjectInfo) NewClusterSessionListCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_session_status_cmd.go b/client-programs/pkg/cmd/cluster_session_status_cmd.go index a1708b271..b5a2d8a4d 100644 --- a/client-programs/pkg/cmd/cluster_session_status_cmd.go +++ b/client-programs/pkg/cmd/cluster_session_status_cmd.go @@ -1,177 +1,38 @@ package cmd import ( - "context" - "encoding/base64" - "encoding/json" "fmt" - "io" - "net/http" - "net/url" - "strings" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/educatesrestapi" ) type ClusterSessionStatusOptions struct { - Kubeconfig string - Portal string - Name string + KubeconfigOptions + Portal string + Name string } func (o *ClusterSessionStatusOptions) Run() error { var err error - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - trainingPortalClient := dynamicClient.Resource(trainingPortalResource) - - trainingPortal, err := trainingPortalClient.Get(context.TODO(), o.Portal, metav1.GetOptions{}) - - if k8serrors.IsNotFound(err) { - fmt.Println("No session found.") - return nil - } - - portalUrl, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "url") - - clientId, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "id") - clientSecret, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "secret") - - username, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "username") - password, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "password") - - if portalUrl == "" { - return errors.New("invalid URL endpoint in training portal") - } - - if username == "" || password == "" { - return errors.New("invalid credentials in training portal") - } - - form := url.Values{} - - form.Add("grant_type", "password") - form.Add("username", username) - form.Add("password", password) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/token/", portalUrl), strings.NewReader(form.Encode())) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - credentials := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))) - - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Basic %s", credentials)) - - res, err := http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode != 200 { - return errors.New("cannot login to training portal") - } - - resBody, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrapf(err, "cannot read response to token request") - } - - type AuthDetails struct { - AccessToken string `json:"access_token"` - ExpiresIn int `json:"expires_in"` - TokenType string `json:"token_type"` - Scope string `json:"scope"` - RefreshToken string `json:"refresh_token"` - } - - var auth AuthDetails - - err = json.Unmarshal(resBody, &auth) - - if err != nil { - return errors.Wrapf(err, "cannot decode auth details") - } - - cleanupFunc := func() { - form = url.Values{} - - form.Add("token", auth.AccessToken) - form.Add("client_id", clientId) - form.Add("client_secret", clientSecret) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/revoke-token/", portalUrl), strings.NewReader(form.Encode())) - - if err == nil { - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - _, _ = http.DefaultClient.Do(req) - } - } - - defer cleanupFunc() - - req, err = http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/schedule/", portalUrl, o.Name), nil) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - res, err = http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode == 400 || res.StatusCode == 404 { - fmt.Println("No session found.") - return nil - } - - if res.StatusCode != 200 { - return errors.New("cannot get session status from training portal") - } - - resBody, err = io.ReadAll(res.Body) + clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, o.Context) + catalogApiRequester := educatesrestapi.NewWorkshopsCatalogRequester( + clusterConfig, + o.Portal, + ) + logout, err := catalogApiRequester.Login() + defer logout() if err != nil { - return errors.Wrapf(err, "cannot read response to status request") - } - - type SessionDetails struct { - Started string `json:"started"` - Expires string `json:"expires"` - Expiring bool `json:"expiring"` - Countdown int `json:"countdown"` - Extendable bool `json:"extendable"` - Status string `json:"status"` + return errors.Wrap(err, "failed to login to training portal") } - var details SessionDetails - - err = json.Unmarshal(resBody, &details) - + details, err := catalogApiRequester.GetWorkshopSession(o.Name) if err != nil { - return errors.Wrapf(err, "cannot decode session details") + return err } fmt.Println("Started:", details.Started) @@ -200,6 +61,12 @@ func (p *ProjectInfo) NewClusterSessionStatusCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_session_terminate_cmd.go b/client-programs/pkg/cmd/cluster_session_terminate_cmd.go index 36ccf86ac..7c47a8239 100644 --- a/client-programs/pkg/cmd/cluster_session_terminate_cmd.go +++ b/client-programs/pkg/cmd/cluster_session_terminate_cmd.go @@ -1,177 +1,38 @@ package cmd import ( - "context" - "encoding/base64" - "encoding/json" "fmt" - "io" - "net/http" - "net/url" - "strings" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/educatesrestapi" ) type ClusterSessionTerminateOptions struct { - Kubeconfig string - Portal string - Name string + KubeconfigOptions + Portal string + Name string } func (o *ClusterSessionTerminateOptions) Run() error { var err error - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") - } - - trainingPortalClient := dynamicClient.Resource(trainingPortalResource) - - trainingPortal, err := trainingPortalClient.Get(context.TODO(), o.Portal, metav1.GetOptions{}) - - if k8serrors.IsNotFound(err) { - fmt.Println("No session found.") - return nil - } - - portalUrl, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "url") - - clientId, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "id") - clientSecret, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "secret") - - username, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "username") - password, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "password") - - if portalUrl == "" { - return errors.New("invalid URL endpoint in training portal") - } - - if username == "" || password == "" { - return errors.New("invalid credentials in training portal") - } - - form := url.Values{} - - form.Add("grant_type", "password") - form.Add("username", username) - form.Add("password", password) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/token/", portalUrl), strings.NewReader(form.Encode())) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - credentials := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))) - - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Basic %s", credentials)) - - res, err := http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode != 200 { - return errors.New("cannot login to training portal") - } - - resBody, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrapf(err, "cannot read response to token request") - } - - type AuthDetails struct { - AccessToken string `json:"access_token"` - ExpiresIn int `json:"expires_in"` - TokenType string `json:"token_type"` - Scope string `json:"scope"` - RefreshToken string `json:"refresh_token"` - } - - var auth AuthDetails - - err = json.Unmarshal(resBody, &auth) - - if err != nil { - return errors.Wrapf(err, "cannot decode auth details") - } - - cleanupFunc := func() { - form = url.Values{} - - form.Add("token", auth.AccessToken) - form.Add("client_id", clientId) - form.Add("client_secret", clientSecret) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/revoke-token/", portalUrl), strings.NewReader(form.Encode())) - - if err == nil { - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - _, _ = http.DefaultClient.Do(req) - } - } - - defer cleanupFunc() - - req, err = http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/terminate/", portalUrl, o.Name), nil) - - if err != nil { - return errors.Wrapf(err, "malformed request for training portal") - } - - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - res, err = http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode == 400 || res.StatusCode == 404 { - fmt.Println("No session found.") - return nil - } - - if res.StatusCode != 200 { - return errors.New("cannot execute session terminate against training portal") - } - - resBody, err = io.ReadAll(res.Body) + clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, o.Context) + catalogApiRequester := educatesrestapi.NewWorkshopsCatalogRequester( + clusterConfig, + o.Portal, + ) + logout, err := catalogApiRequester.Login() + defer logout() if err != nil { - return errors.Wrapf(err, "cannot read response to termination request") - } - - type SessionDetails struct { - Started string `json:"started"` - Expires string `json:"expires"` - Expiring bool `json:"expiring"` - Countdown int `json:"countdown"` - Extendable bool `json:"extendable"` - Status string `json:"status"` + return errors.Wrap(err, "failed to login to training portal") } - var details SessionDetails - - err = json.Unmarshal(resBody, &details) - + details, err := catalogApiRequester.TerminateWorkshopSession(o.Name) if err != nil { - return errors.Wrapf(err, "cannot decode session details") + return err } fmt.Println("Started:", details.Started) @@ -201,6 +62,12 @@ func (p *ProjectInfo) NewClusterSessionTerminateCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_workshop_delete_cmd.go b/client-programs/pkg/cmd/cluster_workshop_delete_cmd.go index b0eb4ce63..ad14e6f3a 100644 --- a/client-programs/pkg/cmd/cluster_workshop_delete_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_delete_cmd.go @@ -3,10 +3,10 @@ package cmd import ( "context" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -14,9 +14,9 @@ import ( ) type ClusterWorkshopDeleteOptions struct { + KubeconfigOptions Name string Path string - Kubeconfig string Portal string WorkshopFile string WorkshopVersion string @@ -58,7 +58,11 @@ func (o *ClusterWorkshopDeleteOptions) Run() error { name = workshop.GetName() } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -107,6 +111,12 @@ func (p *ProjectInfo) NewClusterWorkshopDeleteCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_workshop_deploy_cmd.go b/client-programs/pkg/cmd/cluster_workshop_deploy_cmd.go index f44bce71f..9c34f44c0 100644 --- a/client-programs/pkg/cmd/cluster_workshop_deploy_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_deploy_cmd.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "hash/maphash" "io" "math/rand" "net/http" @@ -13,10 +14,10 @@ import ( "strings" "time" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -25,9 +26,9 @@ import ( ) type ClusterWorkshopDeployOptions struct { + KubeconfigOptions Name string Path string - Kubeconfig string Portal string Capacity uint Reserved uint @@ -76,7 +77,11 @@ func (o *ClusterWorkshopDeployOptions) Run() error { return err } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -135,6 +140,12 @@ func (p *ProjectInfo) NewClusterWorkshopDeployCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", @@ -626,7 +637,7 @@ func deployWorkshopResource(client dynamic.Interface, workshop *unstructured.Uns } func randomPassword(length int) string { - rand.Seed(time.Now().UnixNano()) + rand.New(rand.NewSource(int64(new(maphash.Hash).Sum64()))) chars := []rune("!#%+23456789:=?@ABCDEFGHJKLMNPRSTUVWXYZabcdefghijkmnopqrstuvwxyz") diff --git a/client-programs/pkg/cmd/cluster_workshop_list_cmd.go b/client-programs/pkg/cmd/cluster_workshop_list_cmd.go index 7fa20baae..85c3697df 100644 --- a/client-programs/pkg/cmd/cluster_workshop_list_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_list_cmd.go @@ -15,8 +15,8 @@ import ( ) type ClusterWorkshopsListOptions struct { - Kubeconfig string - Portal string + KubeconfigOptions + Portal string } func (o *ClusterWorkshopsListOptions) Run() error { @@ -28,7 +28,10 @@ func (o *ClusterWorkshopsListOptions) Run() error { o.Portal = "educates-cli" } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -115,6 +118,12 @@ func (p *ProjectInfo) NewClusterWorkshopListCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_workshop_request_cmd.go b/client-programs/pkg/cmd/cluster_workshop_request_cmd.go index 867b626bd..1cea635b7 100644 --- a/client-programs/pkg/cmd/cluster_workshop_request_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_request_cmd.go @@ -1,34 +1,28 @@ package cmd import ( - "bytes" "context" - "encoding/base64" - "encoding/json" "fmt" - "io" - "net/http" - "net/url" "os" "os/exec" "runtime" "strings" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/joho/godotenv" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/educatesrestapi" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/client-go/dynamic" ) type ClusterWorkshopRequestOptions struct { + KubeconfigOptions Name string Path string - Kubeconfig string Portal string Params []string ParamFiles []string @@ -122,17 +116,20 @@ func (o *ClusterWorkshopRequestOptions) Run() error { name = workshop.GetName() } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) - dynamicClient, err := clusterConfig.GetDynamicClient() + if err != nil { + return err + } + // check that the portal has the workshop we want to request + err = ensurePortalHasWorkshop(clusterConfig, name, o.Portal) if err != nil { - return errors.Wrapf(err, "unable to create Kubernetes client") + return err } // Request the workshop from the training portal. - - err = requestWorkshop(dynamicClient, name, o.EnvironmentName, o.Portal, params, o.IndexUrl, o.UserIdentity, o.ActivationTimeout, o.NoBrowser) + err = requestWorkshop(clusterConfig, name, o.EnvironmentName, o.Portal, params, o.IndexUrl, o.UserIdentity, o.ActivationTimeout, o.NoBrowser) if err != nil { return err @@ -171,6 +168,12 @@ func (p *ProjectInfo) NewClusterWorkshopRequestCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", @@ -289,7 +292,13 @@ func (p *ProjectInfo) NewClusterWorkshopRequestCmd() *cobra.Command { return c } -func requestWorkshop(client dynamic.Interface, name string, environmentName string, portal string, params map[string]string, indexUrl string, user string, timeout int, noBrowser bool) error { +func ensurePortalHasWorkshop(clusterConfig *cluster.ClusterConfig, name string, portal string) error { + client, err := clusterConfig.GetDynamicClient() + + if err != nil { + return errors.Wrapf(err, "unable to create Kubernetes client") + } + trainingPortalClient := client.Resource(trainingPortalResource) trainingPortal, err := trainingPortalClient.Get(context.TODO(), portal, metav1.GetOptions{}) @@ -317,255 +326,49 @@ func requestWorkshop(client dynamic.Interface, name string, environmentName stri if !foundWorkshop { return errors.Wrapf(err, "unable to find workshop %s", name) } + return nil +} - // Login to the training portal. - - portalUrl, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "url") - - clientId, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "id") - clientSecret, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "secret") - - username, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "username") - password, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "password") - - if portalUrl == "" { - return errors.New("invalid URL endpoint in training portal") - } - - if username == "" || password == "" { - return errors.New("invalid credentials in training portal") - } - - form := url.Values{} - - form.Add("grant_type", "password") - form.Add("username", username) - form.Add("password", password) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/token/", portalUrl), strings.NewReader(form.Encode())) - - if err != nil { - return errors.Wrap(err, "malformed request for training portal") - } - - credentials := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))) - - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Basic %s", credentials)) - - res, err := http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrapf(err, "cannot connect to training portal") - } - - if res.StatusCode != 200 { - return errors.New("cannot login to training portal") - } - - resBody, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrapf(err, "cannot read response to token request") - } - - type AuthDetails struct { - AccessToken string `json:"access_token"` - ExpiresIn int `json:"expires_in"` - TokenType string `json:"token_type"` - Scope string `json:"scope"` - RefreshToken string `json:"refresh_token"` - } - - var auth AuthDetails - - err = json.Unmarshal(resBody, &auth) - +func requestWorkshop(clusterConfig *cluster.ClusterConfig, workshopName string, environmentName string, portalName string, params map[string]string, indexUrl string, user string, timeout int, noBrowser bool) error { + catalogApiRequester := educatesrestapi.NewWorkshopsCatalogRequester( + clusterConfig, + portalName, + ) + logout, err := catalogApiRequester.Login() if err != nil { - return errors.Wrapf(err, "cannot decode auth details") - } - - cleanupFunc := func() { - form = url.Values{} - - form.Add("token", auth.AccessToken) - form.Add("client_id", clientId) - form.Add("client_secret", clientSecret) - - req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/revoke-token/", portalUrl), strings.NewReader(form.Encode())) - - if err == nil { - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - _, _ = http.DefaultClient.Do(req) - } + return err } - - defer cleanupFunc() + defer logout() // Get the list of workshops so we can know which workshop environment - // we need to request a workshop from. - - type WorkshopDetails struct { - Name string `json:"name"` - } - - type EnvironmentDetails struct { - Name string `json:"name"` - State string `json:"state"` - Workshop WorkshopDetails - } - - type ListEnvironmentsResponse struct { - Environments []EnvironmentDetails - } - - body := []byte("{}") - - requestURL := fmt.Sprintf("%s/workshops/catalog/environments", portalUrl) - - req, err = http.NewRequest("GET", requestURL, bytes.NewBuffer(body)) - - if err != nil { - return errors.Wrap(err, "malformed request for training portal") - } - - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - res, err = http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrap(err, "failed to request catalog from training portal") - } - - defer res.Body.Close() - - if res.StatusCode != http.StatusOK { - bodyBytes, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrap(err, "failed to read response body from training portal") - } - - bodyString := string(bodyBytes) - - return errors.Errorf("request for catalog from training portal failed with error (%d, %s)", res.StatusCode, bodyString) - } - - listEnvironmentsResult := &ListEnvironmentsResponse{} - - err = json.NewDecoder(res.Body).Decode(listEnvironmentsResult) - + listEnvironmentsResult, err := catalogApiRequester.GetWorkshopsCatalog() if err != nil { - return errors.Wrap(err, "failed to decode response from training portal") + return errors.Wrap(err, "failed to get workshops catalog") } // Work out the name of the workshop environment. - if environmentName == "" { for _, item := range listEnvironmentsResult.Environments { - if item.Workshop.Name == name && item.State == "RUNNING" { + if item.Workshop.Name == workshopName && item.State == "RUNNING" { environmentName = item.Name } } } if environmentName == "" { - return errors.Errorf("cannot find workshop environment for workshop %s", name) + return errors.Errorf("cannot find workshop environment for workshop %s", workshopName) } // Now request the workshop from the required workshop environment. - - type Parameter struct { - Name string `json:"name"` - Value string `json:"value"` - } - - type RequestWorkshopRequest struct { - Parameters []Parameter `json:"parameters"` - } - - type RequestWorkshopResponse struct { - Name string `json:"name"` - User string `json:"user"` - URL string `json:"url"` - Workshop string `json:"workshop"` - Environment string `json:"environment"` - Namespace string `json:"namespace"` - } - - inputData := RequestWorkshopRequest{ - Parameters: []Parameter{}, - } - - for name, value := range params { - inputData.Parameters = append(inputData.Parameters, Parameter{name, value}) - } - - body, err = json.Marshal(inputData) - - if err != nil { - return errors.Wrapf(err, "cannot marshal request parameters") - } - - if indexUrl == "" { - indexUrl = fmt.Sprintf("%s/accounts/logout/", portalUrl) - } - - queryString := url.Values{} - queryString.Add("index_url", indexUrl) - queryString.Add("timeout", fmt.Sprintf("%d", timeout)) - - if user != "" { - queryString.Add("user", user) - } - - fmt.Printf("Requesting workshop %q from training portal %q.\n", name, portal) - - requestURL = fmt.Sprintf("%s/workshops/environment/%s/request/?%s", portalUrl, environmentName, queryString.Encode()) - - req, err = http.NewRequest("POST", requestURL, bytes.NewBuffer(body)) - + requestWorkshopResult, err := catalogApiRequester.RequestWorkshop(workshopName, environmentName, params, indexUrl, user, timeout) if err != nil { - return errors.Wrap(err, "malformed request for training portal") - } - - req.Header.Add("Content-Type", "application/json") - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth.AccessToken)) - - res, err = http.DefaultClient.Do(req) - - if err != nil { - return errors.Wrap(err, "failed to request workshop from training portal") - } - - defer res.Body.Close() - - if res.StatusCode != http.StatusOK { - bodyBytes, err := io.ReadAll(res.Body) - - if err != nil { - return errors.Wrap(err, "failed to read response body from training portal") - } - - bodyString := string(bodyBytes) - - return errors.Errorf("request for workshop from training portal failed with error (%d, %s)", res.StatusCode, bodyString) - } - - requestWorkshopResult := &RequestWorkshopResponse{} - - err = json.NewDecoder(res.Body).Decode(requestWorkshopResult) - - if err != nil { - return errors.Wrap(err, "failed to decode response from training portal") + return err } fmt.Printf("Assigned training portal user %q.\n", requestWorkshopResult.User) fmt.Printf("Workshop session name is %q.\n", requestWorkshopResult.Name) - workshopUrl := fmt.Sprintf("%s%s", portalUrl, requestWorkshopResult.URL) + workshopUrl := fmt.Sprintf("%s%s", catalogApiRequester.PortalUrl, requestWorkshopResult.URL) if noBrowser { fmt.Printf("Workshop activation URL is %s.\n", workshopUrl) diff --git a/client-programs/pkg/cmd/cluster_workshop_serve_cmd.go b/client-programs/pkg/cmd/cluster_workshop_serve_cmd.go index 31e7e0f7d..4d1c19a94 100644 --- a/client-programs/pkg/cmd/cluster_workshop_serve_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_serve_cmd.go @@ -7,14 +7,14 @@ import ( "path" "path/filepath" - "github.com/adrg/xdg" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/renderer" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) func calculateWorkshopRoot(path string) (string, error) { @@ -58,9 +58,9 @@ func calculateWorkshopRoot(path string) (string, error) { // } type ClusterWorkshopServeOptions struct { + KubeconfigOptions Name string Path string - Kubeconfig string Portal string ProxyProtocol string ProxyHost string @@ -78,7 +78,7 @@ type ClusterWorkshopServeOptions struct { } func generateAccessToken(refresh bool) (string, error) { - configFileDir := path.Join(xdg.DataHome, "educates") + configFileDir := utils.GetEducatesHomeDir() accessTokenFile := path.Join(configFileDir, "live-reload-token.dat") err := os.MkdirAll(configFileDir, os.ModePerm) @@ -130,6 +130,12 @@ func (o *ClusterWorkshopServeOptions) Run() error { var portal = o.Portal var token = o.Token + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } + // Ensure have portal name. if portal == "" { @@ -189,8 +195,6 @@ func (o *ClusterWorkshopServeOptions) Run() error { unstructured.SetNestedField(patchedWorkshop.Object, proxyDefinition, "spec", "session", "applications", "workshop") - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) - dynamicClient, err := clusterConfig.GetDynamicClient() if err != nil { @@ -211,7 +215,7 @@ func (o *ClusterWorkshopServeOptions) Run() error { var cleanupFunc = func() { // Do our best to revert workshop configuration and ignore errors. - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig := cluster.NewClusterConfig(o.Kubeconfig, o.Context) dynamicClient, err := clusterConfig.GetDynamicClient() @@ -226,7 +230,7 @@ func (o *ClusterWorkshopServeOptions) Run() error { // Run the proxy server and Hugo server. - return renderer.RunHugoServer(path, o.Kubeconfig, name, portal, o.LocalHost, o.LocalPort, o.HugoPort, token, o.Files, cleanupFunc) + return renderer.RunHugoServer(path, o.Kubeconfig, o.Context, name, portal, o.LocalHost, o.LocalPort, o.HugoPort, token, o.Files, cleanupFunc) } func (p *ProjectInfo) NewClusterWorkshopServeCmd() *cobra.Command { @@ -259,6 +263,12 @@ func (p *ProjectInfo) NewClusterWorkshopServeCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/cluster_workshop_update_cmd.go b/client-programs/pkg/cmd/cluster_workshop_update_cmd.go index fbe190805..275bc27d4 100644 --- a/client-programs/pkg/cmd/cluster_workshop_update_cmd.go +++ b/client-programs/pkg/cmd/cluster_workshop_update_cmd.go @@ -10,10 +10,10 @@ import ( "os" "path/filepath" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -25,9 +25,9 @@ import ( ) type ClusterWorkshopUpdateOptions struct { + KubeconfigOptions Name string Path string - Kubeconfig string Portal string WorkshopFile string WorkshopVersion string @@ -63,7 +63,11 @@ func (o *ClusterWorkshopUpdateOptions) Run() error { return err } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } dynamicClient, err := clusterConfig.GetDynamicClient() @@ -114,6 +118,12 @@ func (p *ProjectInfo) NewClusterWorkshopUpdateCmd() *cobra.Command { "", "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) c.Flags().StringVarP( &o.Portal, "portal", diff --git a/client-programs/pkg/cmd/docker_workshop_delete_cmd.go b/client-programs/pkg/cmd/docker_workshop_delete_cmd.go index 9165aa14b..525eea383 100644 --- a/client-programs/pkg/cmd/docker_workshop_delete_cmd.go +++ b/client-programs/pkg/cmd/docker_workshop_delete_cmd.go @@ -8,11 +8,11 @@ import ( "os/exec" "path" - "github.com/adrg/xdg" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/docker/docker/client" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -63,7 +63,7 @@ func (m *DockerWorkshopsManager) DeleteWorkshop(name string, stdout io.Writer, s return errors.Wrap(err, "unable to delete workshop volume") } - configFileDir := path.Join(xdg.DataHome, "educates") + configFileDir := utils.GetEducatesHomeDir() workshopConfigDir := path.Join(configFileDir, "workshops", name) composeConfigDir := path.Join(configFileDir, "compose", name) diff --git a/client-programs/pkg/cmd/docker_workshop_deploy_cmd.go b/client-programs/pkg/cmd/docker_workshop_deploy_cmd.go index 4a1c9babf..fdbcd6149 100644 --- a/client-programs/pkg/cmd/docker_workshop_deploy_cmd.go +++ b/client-programs/pkg/cmd/docker_workshop_deploy_cmd.go @@ -15,13 +15,13 @@ import ( "text/template" "time" - "github.com/adrg/xdg" + yttcmd "carvel.dev/ytt/pkg/cmd/template" composeloader "github.com/compose-spec/compose-go/loader" composetypes "github.com/compose-spec/compose-go/types" "github.com/docker/docker/client" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" "golang.org/x/exp/slices" "gopkg.in/yaml.v2" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -114,7 +114,7 @@ func (m *DockerWorkshopsManager) DeployWorkshop(o *DockerWorkshopDeployOptions, originalName := workshop.GetAnnotations()["training.educates.dev/workshop"] - configFileDir := path.Join(xdg.DataHome, "educates") + configFileDir := utils.GetEducatesHomeDir() composeConfigDir := path.Join(configFileDir, "compose", name) err = os.MkdirAll(composeConfigDir, os.ModePerm) diff --git a/client-programs/pkg/cmd/docker_workshop_list_cmd.go b/client-programs/pkg/cmd/docker_workshop_list_cmd.go index 23c267955..23bf7dec8 100644 --- a/client-programs/pkg/cmd/docker_workshop_list_cmd.go +++ b/client-programs/pkg/cmd/docker_workshop_list_cmd.go @@ -7,7 +7,7 @@ import ( "sync" "text/tabwriter" - "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/container" "github.com/docker/docker/client" "github.com/pkg/errors" "github.com/spf13/cobra" @@ -113,7 +113,7 @@ func (m *DockerWorkshopsManager) ListWorkhops() ([]DockerWorkshopDetails, error) return nil, errors.Wrap(err, "unable to create docker client") } - containers, err := cli.ContainerList(ctx, types.ContainerListOptions{}) + containers, err := cli.ContainerList(ctx, container.ListOptions{}) if err != nil { return nil, errors.Wrap(err, "unable to list containers") diff --git a/client-programs/pkg/cmd/docker_workshop_logs.go b/client-programs/pkg/cmd/docker_workshop_logs.go index b73f00139..841d17932 100644 --- a/client-programs/pkg/cmd/docker_workshop_logs.go +++ b/client-programs/pkg/cmd/docker_workshop_logs.go @@ -3,9 +3,9 @@ package cmd import ( "os/exec" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/client-programs/pkg/cmd/docker_workshop_open_cmd.go b/client-programs/pkg/cmd/docker_workshop_open_cmd.go index b86d7780b..6bd78d2e4 100644 --- a/client-programs/pkg/cmd/docker_workshop_open_cmd.go +++ b/client-programs/pkg/cmd/docker_workshop_open_cmd.go @@ -9,10 +9,10 @@ import ( "runtime" "time" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/docker/docker/client" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/client-programs/pkg/cmd/educates_cmd_group.go b/client-programs/pkg/cmd/educates_cmd_group.go index 0e4f6143f..100e5487b 100644 --- a/client-programs/pkg/cmd/educates_cmd_group.go +++ b/client-programs/pkg/cmd/educates_cmd_group.go @@ -27,7 +27,7 @@ func (p *ProjectInfo) NewEducatesCmdGroup() *cobra.Command { commandGroups := templates.CommandGroups{ { - Message: "Workshop Commands (Aliases):", + Message: "Content Creation Commands (Aliases):", Commands: []*cobra.Command{ overrideCommandName(p.NewWorkshopNewCmd(), "new-workshop"), overrideCommandName(p.NewWorkshopPublishCmd(), "publish-workshop"), @@ -35,7 +35,7 @@ func (p *ProjectInfo) NewEducatesCmdGroup() *cobra.Command { }, }, { - Message: "Cluster Commands (Aliases):", + Message: "Content Management Commands (Aliases):", Commands: []*cobra.Command{ overrideCommandName(p.NewClusterWorkshopDeployCmd(), "deploy-workshop"), overrideCommandName(p.NewClusterWorkshopListCmd(), "list-workshops"), @@ -59,20 +59,23 @@ func (p *ProjectInfo) NewEducatesCmdGroup() *cobra.Command { { Message: "Management Commands (Aliases):", Commands: []*cobra.Command{ - overrideCommandName(p.NewAdminClusterCreateCmd(), "create-cluster"), - overrideCommandName(p.NewAdminClusterDeleteCmd(), "delete-cluster"), + overrideCommandName(p.NewLocalClusterCreateCmd(), "create-cluster"), + overrideCommandName(p.NewLocalClusterDeleteCmd(), "delete-cluster"), + overrideCommandName(p.NewAdminPlatformDeployCmd(), "deploy-platform"), + overrideCommandName(p.NewAdminPlatformDeleteCmd(), "delete-platform"), }, }, { Message: "Command Groups:", Commands: []*cobra.Command{ + p.NewLocalCmdGroup(), + p.NewAdminCmdGroup(), p.NewProjectCmdGroup(), p.NewWorkshopCmdGroup(), p.NewTemplateCmdGroup(), p.NewClusterCmdGroup(), p.NewDockerCmdGroup(), p.NewTunnelCmdGroup(), - p.NewAdminCmdGroup(), }, }, } diff --git a/client-programs/pkg/cmd/admin_cluster_cmd_group.go b/client-programs/pkg/cmd/local_cluster_cmd_group.go similarity index 71% rename from client-programs/pkg/cmd/admin_cluster_cmd_group.go rename to client-programs/pkg/cmd/local_cluster_cmd_group.go index a4a2bfb58..f6c3c9b72 100644 --- a/client-programs/pkg/cmd/admin_cluster_cmd_group.go +++ b/client-programs/pkg/cmd/local_cluster_cmd_group.go @@ -5,7 +5,7 @@ import ( "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminClusterCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewLocalClusterCmdGroup() *cobra.Command { var c = &cobra.Command{ Use: "cluster", Short: "Manage local Kubernetes cluster", @@ -19,10 +19,11 @@ func (p *ProjectInfo) NewAdminClusterCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminClusterCreateCmd(), - p.NewAdminClusterStartCmd(), - p.NewAdminClusterStopCmd(), - p.NewAdminClusterDeleteCmd(), + p.NewLocalClusterCreateCmd(), + p.NewLocalClusterStartCmd(), + p.NewLocalClusterStopCmd(), + p.NewLocalClusterDeleteCmd(), + p.NewLocalClusterStatusCmd(), }, }, } diff --git a/client-programs/pkg/cmd/local_cluster_create_cmd.go b/client-programs/pkg/cmd/local_cluster_create_cmd.go new file mode 100644 index 000000000..f788f1b28 --- /dev/null +++ b/client-programs/pkg/cmd/local_cluster_create_cmd.go @@ -0,0 +1,317 @@ +package cmd + +import ( + "context" + _ "embed" + "fmt" + "io" + "os" + + "github.com/docker/docker/api/types/container" + "github.com/docker/docker/api/types/image" + "github.com/docker/docker/client" + "github.com/docker/go-connections/nat" + "github.com/pkg/errors" + "github.com/spf13/cobra" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/installer" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/registry" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/secrets" +) + +var ( + localClusterCreateExample = ` + # Create local educates cluster (no configuration, uses nip.io wildcard domain and Kind as provider config defaults) + educates admin cluster create + + # Create local educates cluster with custom configuration + educates admin cluster create --config config.yaml + + # Create local kind cluster but don't install anything on it (it creates local registry but not local secrets) + educates admin cluster create --cluster-only + + # Create local kind cluster but don't install anything on it, but providing some config for kind + educates admin cluster create --cluster-only --config kind-config.yaml + + # Create local educates cluster with bundle from different repository + educates admin cluster create --package-repository ghcr.io/jorgemoralespou --version installer-clean + + # Create local educates cluster with local build (for development) + educates admin cluster create --package-repository localhost:5001 --version 0.0.1 + + # Create local educates cluster with default configuration for a given domain + educates admin cluster create --domain test.educates.io + + # Create local educates cluster with custom configuration providing a domain + educates admin cluster create --config config.yaml --domain test.educates.io + +` +) + +type LocalClusterCreateOptions struct { + Config string + Kubeconfig string + ClusterImage string + Domain string + PackageRepository string + Version string + ClusterOnly bool + Verbose bool + SkipImageResolution bool + RegistryBindIP string +} + +func (o *LocalClusterCreateOptions) Run() error { + + fullConfig, err := config.ConfigForLocalClusters(o.Config, o.Domain, true) + + if err != nil { + return err + } + + if o.Verbose { + config.PrintConfigToStdout(fullConfig) + } + + clusterConfig := cluster.NewKindClusterConfig(o.Kubeconfig) + + if exists, err := clusterConfig.ClusterExists(); exists && err != nil { + return err + } + + httpAvailable, err := checkPortAvailability(fullConfig.LocalKindCluster.ListenAddress, []uint{80, 443}, o.Verbose) + + if err != nil { + return errors.Wrap(err, "couldn't test whether ports 80/443 available") + } + + if !httpAvailable { + return errors.New("ports 80/443 not available") + } + + err = clusterConfig.CreateCluster(fullConfig, o.ClusterImage) + + if err != nil { + return err + } + + client, err := clusterConfig.Config.GetClient() + + if err != nil { + return err + } + + // This creates the educates-secrets namespace if it doesn't exist and creates the + // wildcard and CA secrets in there + if !o.ClusterOnly { + if err = secrets.SyncLocalCachedSecretsToCluster(client); err != nil { + return err + } + } + + if err = registry.DeployRegistry(o.RegistryBindIP); err != nil { + return errors.Wrap(err, "failed to deploy registry") + } + + if err = registry.LinkRegistryToCluster(); err != nil { + return errors.Wrap(err, "failed to link registry to cluster") + } + + // This is needed for imgpkg pull from locally published workshops + if err = registry.UpdateRegistryService(client); err != nil { + return errors.Wrap(err, "failed to create service for registry") + } + + // This is for hugo livereload (educates serve-workshop) + if err = cluster.CreateLoopbackService(client, fullConfig.ClusterIngress.Domain); err != nil { + return err + } + + // This is needed to make containerd use the local registry + if err = registry.AddRegistryConfigToKindNodes("localhost:5001"); err != nil { + return errors.Wrap(err, "failed to add registry config to kind nodes") + } + if err = registry.AddRegistryConfigToKindNodes("registry.default.svc.cluster.local"); err != nil { + return errors.Wrap(err, "failed to add registry config to kind nodes") + } + + // This is needed so that kubernetes nodes can pull images from the local registry + if err = registry.DocumentLocalRegistry(client); err != nil { + return errors.Wrap(err, "failed to document registry config in cluster") + } + + if !o.ClusterOnly { + installer := installer.NewInstaller() + err = installer.Run(o.Version, o.PackageRepository, fullConfig, &clusterConfig.Config, o.Verbose, false, o.SkipImageResolution, false) + if err != nil { + return errors.Wrap(err, "educates could not be installed") + } + } + + fmt.Println("Educates cluster has been created succesfully") + + return nil +} + +func (p *ProjectInfo) NewLocalClusterCreateCmd() *cobra.Command { + var o LocalClusterCreateOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "create", + Short: "Creates a local Kubernetes cluster", + RunE: func(cmd *cobra.Command, _ []string) error { + ip, err := registry.ValidateAndResolveIP(o.RegistryBindIP) + if err != nil { + return errors.Wrap(err, "invalid registry bind IP") + } + o.RegistryBindIP = ip + + return o.Run() + }, + Example: localClusterCreateExample, + } + + c.Flags().StringVar( + &o.Config, + "config", + "", + "path to the installation config file for Educates", + ) + c.Flags().StringVar( + &o.Kubeconfig, + "kubeconfig", + "", + "kubeconfig file to use instead of $HOME/.kube/config", + ) + c.Flags().StringVar( + &o.ClusterImage, + "kind-cluster-image", + "", + "docker image to use when booting the kind cluster", + ) + c.Flags().StringVar( + &o.Domain, + "domain", + "", + "wildcard ingress subdomain name for Educates", + ) + c.Flags().StringVar( + &o.PackageRepository, + "package-repository", + p.ImageRepository, + "image repository hosting package bundles", + ) + c.Flags().StringVar( + &o.Version, + "version", + p.Version, + "version of Educates training platform to be installed", + ) + c.Flags().BoolVar( + &o.ClusterOnly, + "cluster-only", + false, + "only create the cluster, do not install Educates", + ) + c.Flags().BoolVar( + &o.Verbose, + "verbose", + false, + "print verbose output", + ) + c.Flags().BoolVar( + &o.SkipImageResolution, + "skip-image-resolution", + false, + "skips resolution of referenced images so that all will be fetched from their original location", + ) + c.Flags().StringVar( + &o.RegistryBindIP, + "registry-bind-ip", + "127.0.0.1", + "Bind ip for the registry service", + ) + return c +} + +func checkPortAvailability(listenAddress string, ports []uint, verbose bool) (bool, error) { + ctx := context.Background() + + cli, err := client.NewClientWithOpts(client.FromEnv) + + if err != nil { + return false, errors.Wrap(err, "unable to create docker client") + } + + cli.ContainerRemove(ctx, "educates-port-availability-check", container.RemoveOptions{}) + + reader, err := cli.ImagePull(ctx, "docker.io/library/busybox:latest", image.PullOptions{}) + if err != nil { + return false, errors.Wrap(err, "cannot pull busybox image") + } + + defer reader.Close() + + if verbose { + io.Copy(os.Stdout, reader) + } else { + io.Copy(io.Discard, reader) + } + + if listenAddress == "" { + listenAddress, err = config.HostIP() + + if err != nil { + listenAddress = "127.0.0.1" + } + } + + hostConfig := &container.HostConfig{ + PortBindings: nat.PortMap{}, + } + + exposedPorts := nat.PortSet{} + + for _, port := range ports { + key := nat.Port(fmt.Sprintf("%d/tcp", port)) + hostConfig.PortBindings[key] = []nat.PortBinding{ + { + HostIP: listenAddress, + HostPort: fmt.Sprintf("%d", port), + }, + } + exposedPorts[key] = struct{}{} + } + + resp, err := cli.ContainerCreate(ctx, &container.Config{ + Image: "docker.io/library/busybox:latest", + Cmd: []string{"/bin/true"}, + Tty: false, + ExposedPorts: exposedPorts, + }, hostConfig, nil, nil, "educates-port-availability-check") + + if err != nil { + return false, errors.Wrap(err, "cannot create busybox container") + } + + defer cli.ContainerRemove(ctx, "educates-port-availability-check", container.RemoveOptions{}) + + if err := cli.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil { + return false, errors.Wrap(err, "cannot start busybox container") + } + + statusCh, errCh := cli.ContainerWait(ctx, "educates-port-availability-check", container.WaitConditionNotRunning) + + select { + case err := <-errCh: + if err != nil { + return false, nil + } + case <-statusCh: + } + + return true, nil +} diff --git a/client-programs/pkg/cmd/admin_cluster_delete_cmd.go b/client-programs/pkg/cmd/local_cluster_delete_cmd.go similarity index 81% rename from client-programs/pkg/cmd/admin_cluster_delete_cmd.go rename to client-programs/pkg/cmd/local_cluster_delete_cmd.go index 5fb4ae4c4..638840c41 100644 --- a/client-programs/pkg/cmd/admin_cluster_delete_cmd.go +++ b/client-programs/pkg/cmd/local_cluster_delete_cmd.go @@ -8,12 +8,12 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/resolver" ) -type AdminClusterDeleteOptions struct { +type LocalClusterDeleteOptions struct { Kubeconfig string AllComponents bool } -func (o *AdminClusterDeleteOptions) Run() error { +func (o *LocalClusterDeleteOptions) Run() error { c := cluster.NewKindClusterConfig("") if o.AllComponents { @@ -24,8 +24,8 @@ func (o *AdminClusterDeleteOptions) Run() error { return c.DeleteCluster() } -func (p *ProjectInfo) NewAdminClusterDeleteCmd() *cobra.Command { - var o AdminClusterDeleteOptions +func (p *ProjectInfo) NewLocalClusterDeleteCmd() *cobra.Command { + var o LocalClusterDeleteOptions var c = &cobra.Command{ Args: cobra.NoArgs, diff --git a/client-programs/pkg/cmd/admin_cluster_start_cmd.go b/client-programs/pkg/cmd/local_cluster_start_cmd.go similarity index 86% rename from client-programs/pkg/cmd/admin_cluster_start_cmd.go rename to client-programs/pkg/cmd/local_cluster_start_cmd.go index fb3051ad5..fc605ec1a 100644 --- a/client-programs/pkg/cmd/admin_cluster_start_cmd.go +++ b/client-programs/pkg/cmd/local_cluster_start_cmd.go @@ -6,7 +6,7 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" ) -func (p *ProjectInfo) NewAdminClusterStartCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalClusterStartCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "start", diff --git a/client-programs/pkg/cmd/local_cluster_status_cmd.go b/client-programs/pkg/cmd/local_cluster_status_cmd.go new file mode 100644 index 000000000..70d15c5de --- /dev/null +++ b/client-programs/pkg/cmd/local_cluster_status_cmd.go @@ -0,0 +1,22 @@ +package cmd + +import ( + "github.com/spf13/cobra" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" +) + +func (p *ProjectInfo) NewLocalClusterStatusCmd() *cobra.Command { + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "status", + Short: "Status of the local Kubernetes cluster", + RunE: func(_ *cobra.Command, _ []string) error { + c := cluster.NewKindClusterConfig("") + + return c.ClusterStatus() + }, + } + + return c +} diff --git a/client-programs/pkg/cmd/admin_cluster_stop_cmd.go b/client-programs/pkg/cmd/local_cluster_stop_cmd.go similarity index 85% rename from client-programs/pkg/cmd/admin_cluster_stop_cmd.go rename to client-programs/pkg/cmd/local_cluster_stop_cmd.go index 103c7a063..9d7d0ff19 100644 --- a/client-programs/pkg/cmd/admin_cluster_stop_cmd.go +++ b/client-programs/pkg/cmd/local_cluster_stop_cmd.go @@ -6,7 +6,7 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" ) -func (p *ProjectInfo) NewAdminClusterStopCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalClusterStopCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "stop", diff --git a/client-programs/pkg/cmd/local_cmd_group.go b/client-programs/pkg/cmd/local_cmd_group.go new file mode 100644 index 000000000..2a5e0b270 --- /dev/null +++ b/client-programs/pkg/cmd/local_cmd_group.go @@ -0,0 +1,36 @@ +package cmd + +import ( + "github.com/spf13/cobra" + "k8s.io/kubectl/pkg/util/templates" +) + +func (p *ProjectInfo) NewLocalCmdGroup() *cobra.Command { + var c = &cobra.Command{ + Use: "local", + Short: "Tools for working with Educates on your local computer", + } + + // Use a command group as it allows us to dictate the order in which they + // are displayed in the help message, as otherwise they are displayed in + // sort order. + + commandGroups := templates.CommandGroups{ + { + Message: "Available Commands:", + Commands: []*cobra.Command{ + p.NewLocalClusterCmdGroup(), + p.NewLocalConfigCmdGroup(), + p.NewLocalSecretsCmdGroup(), + p.NewLocalRegistryCmdGroup(), + p.NewLocalResolverCmdGroup(), + }, + }, + } + + commandGroups.Add(c) + + templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) + + return c +} diff --git a/client-programs/pkg/cmd/local_config_cmd_group.go b/client-programs/pkg/cmd/local_config_cmd_group.go new file mode 100644 index 000000000..e5ee71f8d --- /dev/null +++ b/client-programs/pkg/cmd/local_config_cmd_group.go @@ -0,0 +1,38 @@ +package cmd + +import ( + "github.com/spf13/cobra" + "k8s.io/kubectl/pkg/util/templates" +) + +func (p *ProjectInfo) NewLocalConfigCmdGroup() *cobra.Command { + var c = &cobra.Command{ + Use: "config", + Short: "Manage local configuration files", + Long: "Manage local configuration files. This configuration will be used when creating a local cluster " + + "using the 'educates local cluster create' command. By default it will use the nip.io wildcard domain " + + "and Kind as the provider." + "\n" + + "This configuration is saved in the Educates home directory.", + } + + // Use a command group as it allows us to dictate the order in which they + // are displayed in the help message, as otherwise they are displayed in + // sort order. + + commandGroups := templates.CommandGroups{ + { + Message: "Available Commands:", + Commands: []*cobra.Command{ + p.NewLocalConfigEditCmd(), + p.NewLocalConfigViewCmd(), + p.NewLocalConfigResetCmd(), + }, + }, + } + + commandGroups.Add(c) + + templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) + + return c +} diff --git a/client-programs/pkg/cmd/admin_config_edit_cmd.go b/client-programs/pkg/cmd/local_config_edit_cmd.go similarity index 75% rename from client-programs/pkg/cmd/admin_config_edit_cmd.go rename to client-programs/pkg/cmd/local_config_edit_cmd.go index 839d83f0b..2cf8ce5fe 100644 --- a/client-programs/pkg/cmd/admin_config_edit_cmd.go +++ b/client-programs/pkg/cmd/local_config_edit_cmd.go @@ -6,26 +6,31 @@ import ( "os/exec" "path" - "github.com/adrg/xdg" "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) -func (p *ProjectInfo) NewAdminConfigEditCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalConfigEditCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "edit", - Short: "Edit default configuration", + Short: "Edit local configuration", RunE: func(_ *cobra.Command, _ []string) error { - configFileDir := path.Join(xdg.DataHome, "educates") - valuesFilePath := path.Join(configFileDir, "values.yaml") + err := os.MkdirAll(utils.GetEducatesHomeDir(), os.ModePerm) + + if err != nil { + return errors.Wrapf(err, "unable to create configuration directory %q", utils.GetEducatesHomeDir()) + } + + valuesFilePath := path.Join(utils.GetEducatesHomeDir(), "values.yaml") tmpValuesFilePath := fmt.Sprintf("%s.%d", valuesFilePath, os.Getpid()) tmpValuesFile, err := os.OpenFile(tmpValuesFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, os.ModePerm) if err != nil { - return errors.Wrapf(err, "unable to temporary values file %q", tmpValuesFilePath) + return errors.Wrapf(err, "unable to create local configuration file %q", tmpValuesFilePath) } valuesFileData, err := os.ReadFile(valuesFilePath) diff --git a/client-programs/pkg/cmd/local_config_reset_cmd.go b/client-programs/pkg/cmd/local_config_reset_cmd.go new file mode 100644 index 000000000..05a7d801a --- /dev/null +++ b/client-programs/pkg/cmd/local_config_reset_cmd.go @@ -0,0 +1,26 @@ +package cmd + +import ( + "os" + "path" + + "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" +) + +func (p *ProjectInfo) NewLocalConfigResetCmd() *cobra.Command { + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "reset", + Short: "Reset local configuration", + RunE: func(_ *cobra.Command, _ []string) error { + valuesFile := path.Join(utils.GetEducatesHomeDir(), "values.yaml") + + os.Remove(valuesFile) + + return nil + }, + } + + return c +} diff --git a/client-programs/pkg/cmd/local_config_view_cmd.go b/client-programs/pkg/cmd/local_config_view_cmd.go new file mode 100644 index 000000000..ab062c781 --- /dev/null +++ b/client-programs/pkg/cmd/local_config_view_cmd.go @@ -0,0 +1,77 @@ +package cmd + +import ( + "fmt" + + "github.com/pkg/errors" + "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "gopkg.in/yaml.v2" +) + +var ( + localConfigViewExample = ` + # View local educates cluster configuration by default. Uses nip.io wildcard domain and Kind as provider config defaults + educates local config view --config NULL + + # View local educates cluster configuration stored. Will show the default if local config file is empty + educates local config view + + # View local educates cluster configuration using provided config. If there's secrets for that domain, they will be used + educates local config view --config config.yaml + + # View local educates cluster configuration using provided domain. If there's secrets for that domain, they will be used + educates local config view --domain test.example.com +` +) + +type LocalConfigViewOptions struct { + Config string + Domain string +} + +func (o *LocalConfigViewOptions) Run() error { + fullConfig, err := config.ConfigForLocalClusters(o.Config, o.Domain, true) + if err != nil { + return err + } + + configData, err := yaml.Marshal(&fullConfig) + + if err != nil { + return errors.Wrap(err, "failed to generate installation config") + } + + fmt.Print(string(configData)) + + return nil +} + +func (p *ProjectInfo) NewLocalConfigViewCmd() *cobra.Command { + var o LocalConfigViewOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "view", + Short: "View local configuration", + Long: "View local configuration. Uses nip.io wildcard domain and Kind as provider config defaults", + RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + Example: localConfigViewExample, + } + + c.Flags().StringVar( + &o.Domain, + "domain", + "", + "wildcard ingress subdomain name for Educates", + ) + + c.Flags().StringVar( + &o.Config, + "config", + "", + "path to the installation config file for Educates", + ) + + return c +} diff --git a/client-programs/pkg/cmd/admin_registry_cmd_group.go b/client-programs/pkg/cmd/local_registry_cmd_group.go similarity index 77% rename from client-programs/pkg/cmd/admin_registry_cmd_group.go rename to client-programs/pkg/cmd/local_registry_cmd_group.go index ebb4167cd..0c9cc1d1e 100644 --- a/client-programs/pkg/cmd/admin_registry_cmd_group.go +++ b/client-programs/pkg/cmd/local_registry_cmd_group.go @@ -5,7 +5,7 @@ import ( "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminRegistryCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewLocalRegistryCmdGroup() *cobra.Command { var c = &cobra.Command{ Use: "registry", Short: "Manage local image registry", @@ -19,8 +19,9 @@ func (p *ProjectInfo) NewAdminRegistryCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminRegistryDeployCmd(), - p.NewAdminRegistryDeleteCmd(), + p.NewLocalRegistryDeployCmd(), + p.NewLocalRegistryDeleteCmd(), + p.NewLocalRegistryPruneCmd(), }, }, } diff --git a/client-programs/pkg/cmd/admin_registry_delete_cmd.go b/client-programs/pkg/cmd/local_registry_delete_cmd.go similarity index 84% rename from client-programs/pkg/cmd/admin_registry_delete_cmd.go rename to client-programs/pkg/cmd/local_registry_delete_cmd.go index da0b6544a..93411a63e 100644 --- a/client-programs/pkg/cmd/admin_registry_delete_cmd.go +++ b/client-programs/pkg/cmd/local_registry_delete_cmd.go @@ -6,7 +6,7 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/registry" ) -func (p *ProjectInfo) NewAdminRegistryDeleteCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalRegistryDeleteCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "delete", diff --git a/client-programs/pkg/cmd/admin_registry_deploy_cmd.go b/client-programs/pkg/cmd/local_registry_deploy_cmd.go similarity index 59% rename from client-programs/pkg/cmd/admin_registry_deploy_cmd.go rename to client-programs/pkg/cmd/local_registry_deploy_cmd.go index 7bfe3f70b..8af32ecea 100644 --- a/client-programs/pkg/cmd/admin_registry_deploy_cmd.go +++ b/client-programs/pkg/cmd/local_registry_deploy_cmd.go @@ -10,12 +10,13 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/registry" ) -type AdminRegistryDeployOptions struct { - Kubeconfig string +type LocalRegistryDeployOptions struct { + KubeconfigOptions + BindIP string } -func (o *AdminRegistryDeployOptions) Run() error { - err := registry.DeployRegistry() +func (o *LocalRegistryDeployOptions) Run() error { + err := registry.DeployRegistry(o.BindIP) if err != nil { return errors.Wrap(err, "failed to deploy registry") @@ -31,7 +32,12 @@ func (o *AdminRegistryDeployOptions) Run() error { fmt.Println("Warning: Kubernetes cluster not linked to image registry.") } - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + fmt.Println("Warning: Kubernetes cluster not available") + return nil + } client, err := clusterConfig.GetClient() @@ -48,14 +54,22 @@ func (o *AdminRegistryDeployOptions) Run() error { return nil } -func (p *ProjectInfo) NewAdminRegistryDeployCmd() *cobra.Command { - var o AdminRegistryDeployOptions +func (p *ProjectInfo) NewLocalRegistryDeployCmd() *cobra.Command { + var o LocalRegistryDeployOptions var c = &cobra.Command{ Args: cobra.NoArgs, Use: "deploy", Short: "Deploys a local image registry", - RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + RunE: func(cmd *cobra.Command, _ []string) error { + ip, err := registry.ValidateAndResolveIP(o.BindIP) + if err != nil { + return errors.Wrap(err, "invalid registry bind IP") + } + o.BindIP = ip + + return o.Run() + }, } c.Flags().StringVar( @@ -65,5 +79,19 @@ func (p *ProjectInfo) NewAdminRegistryDeployCmd() *cobra.Command { "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + + c.Flags().StringVar( + &o.BindIP, + "bind-ip", + "127.0.0.1", + "Bind ip for the registry service", + ) + return c } diff --git a/client-programs/pkg/cmd/local_registry_prune_cmd.go b/client-programs/pkg/cmd/local_registry_prune_cmd.go new file mode 100644 index 000000000..b152916bc --- /dev/null +++ b/client-programs/pkg/cmd/local_registry_prune_cmd.go @@ -0,0 +1,34 @@ +package cmd + +import ( + "github.com/pkg/errors" + "github.com/spf13/cobra" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/registry" +) + +type LocalRegistryPruneOptions struct { +} + +func (o *LocalRegistryPruneOptions) Run() error { + err := registry.PruneRegistry() + + if err != nil { + return errors.Wrap(err, "failed to prune registry") + } + + return nil +} + +func (p *ProjectInfo) NewLocalRegistryPruneCmd() *cobra.Command { + var o LocalRegistryPruneOptions + + var c = &cobra.Command{ + Args: cobra.NoArgs, + Use: "prune", + Short: "Prunes the local image registry (deletes any untagged image)", + RunE: func(_ *cobra.Command, _ []string) error { return o.Run() }, + } + + return c +} diff --git a/client-programs/pkg/cmd/admin_resolver_cmd_group.go b/client-programs/pkg/cmd/local_resolver_cmd_group.go similarity index 81% rename from client-programs/pkg/cmd/admin_resolver_cmd_group.go rename to client-programs/pkg/cmd/local_resolver_cmd_group.go index 4ff4eaa14..925856964 100644 --- a/client-programs/pkg/cmd/admin_resolver_cmd_group.go +++ b/client-programs/pkg/cmd/local_resolver_cmd_group.go @@ -5,7 +5,7 @@ import ( "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminResolverCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewLocalResolverCmdGroup() *cobra.Command { var c = &cobra.Command{ Use: "resolver", Short: "Manage local DNS resolver", @@ -19,8 +19,8 @@ func (p *ProjectInfo) NewAdminResolverCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminResolverDeployCmd(), - p.NewAdminResolverDeleteCmd(), + p.NewLocalResolverDeployCmd(), + p.NewLocalResolverDeleteCmd(), }, }, } diff --git a/client-programs/pkg/cmd/admin_resolver_delete_cmd.go b/client-programs/pkg/cmd/local_resolver_delete_cmd.go similarity index 84% rename from client-programs/pkg/cmd/admin_resolver_delete_cmd.go rename to client-programs/pkg/cmd/local_resolver_delete_cmd.go index f5ab13760..0d5393009 100644 --- a/client-programs/pkg/cmd/admin_resolver_delete_cmd.go +++ b/client-programs/pkg/cmd/local_resolver_delete_cmd.go @@ -6,7 +6,7 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/resolver" ) -func (p *ProjectInfo) NewAdminResolverDeleteCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalResolverDeleteCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "delete", diff --git a/client-programs/pkg/cmd/admin_resolver_deploy_cmd.go b/client-programs/pkg/cmd/local_resolver_deploy_cmd.go similarity index 54% rename from client-programs/pkg/cmd/admin_resolver_deploy_cmd.go rename to client-programs/pkg/cmd/local_resolver_deploy_cmd.go index 97864f760..f3812137a 100644 --- a/client-programs/pkg/cmd/admin_resolver_deploy_cmd.go +++ b/client-programs/pkg/cmd/local_resolver_deploy_cmd.go @@ -7,27 +7,34 @@ import ( "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/resolver" ) -type AdminResolverDeployOptions struct { +type LocalResolverDeployOptions struct { Config string Domain string } -func (o *AdminResolverDeployOptions) Run() error { - config, err := config.NewInstallationConfigFromFile(o.Config) +func (o *LocalResolverDeployOptions) Run() error { + var fullConfig *config.InstallationConfig + var err error = nil + + if o.Config != "" { + fullConfig, err = config.NewInstallationConfigFromFile(o.Config) + } else { + fullConfig, err = config.NewInstallationConfigFromUserFile() + } if err != nil { return err } if o.Domain != "" { - config.ClusterIngress.Domain = o.Domain + fullConfig.ClusterIngress.Domain = o.Domain } - return resolver.DeployResolver(config.ClusterIngress.Domain, config.LocalDNSResolver.TargetAddress, config.LocalDNSResolver.ExtraDomains) + return resolver.DeployResolver(fullConfig.ClusterIngress.Domain, fullConfig.LocalDNSResolver.TargetAddress, fullConfig.LocalDNSResolver.ExtraDomains) } -func (p *ProjectInfo) NewAdminResolverDeployCmd() *cobra.Command { - var o AdminResolverDeployOptions +func (p *ProjectInfo) NewLocalResolverDeployCmd() *cobra.Command { + var o LocalResolverDeployOptions var c = &cobra.Command{ Args: cobra.NoArgs, diff --git a/client-programs/pkg/cmd/admin_secrets_add_cmd.go b/client-programs/pkg/cmd/local_secrets_add_cmd.go similarity index 86% rename from client-programs/pkg/cmd/admin_secrets_add_cmd.go rename to client-programs/pkg/cmd/local_secrets_add_cmd.go index dc29b8293..59b1019d4 100644 --- a/client-programs/pkg/cmd/admin_secrets_add_cmd.go +++ b/client-programs/pkg/cmd/local_secrets_add_cmd.go @@ -8,16 +8,16 @@ import ( "path" "regexp" - "github.com/adrg/xdg" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" apiv1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubectl/pkg/util/templates" "sigs.k8s.io/yaml" ) -func (p *ProjectInfo) NewAdminSecretsAddCmdGroup() *cobra.Command { +func (p *ProjectInfo) NewLocalSecretsAddCmdGroup() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "add", @@ -32,10 +32,10 @@ func (p *ProjectInfo) NewAdminSecretsAddCmdGroup() *cobra.Command { { Message: "Available Commands:", Commands: []*cobra.Command{ - p.NewAdminSecretsAddCaCmd(), - p.NewAdminSecretsAddDockerRegistryCmd(), - // NewAdminSecretsAddGenericCmd(), - p.NewAdminSecretsAddTlsCmd(), + p.NewLocalSecretsAddCaCmd(), + p.NewLocalSecretsAddDockerRegistryCmd(), + // NewLocalSecretsAddGenericCmd(), + p.NewLocalSecretsAddTlsCmd(), }, }, } @@ -47,13 +47,13 @@ func (p *ProjectInfo) NewAdminSecretsAddCmdGroup() *cobra.Command { return c } -type AdminSecretsAddTlsOptions struct { +type LocalSecretsAddTlsOptions struct { CertFile string KeyFile string IngressDomain string } -func (o *AdminSecretsAddTlsOptions) Run(name string) error { +func (o *LocalSecretsAddTlsOptions) Run(name string) error { var err error var matched bool @@ -112,8 +112,7 @@ func (o *AdminSecretsAddTlsOptions) Run(name string) error { return errors.Wrap(err, "failed to generate YAML data") } - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") err = os.MkdirAll(secretsCacheDir, os.ModePerm) @@ -140,8 +139,8 @@ func (o *AdminSecretsAddTlsOptions) Run(name string) error { return nil } -func (p *ProjectInfo) NewAdminSecretsAddTlsCmd() *cobra.Command { - var o AdminSecretsAddTlsOptions +func (p *ProjectInfo) NewLocalSecretsAddTlsCmd() *cobra.Command { + var o LocalSecretsAddTlsOptions var c = &cobra.Command{ Args: cobra.ExactArgs(1), @@ -174,12 +173,12 @@ func (p *ProjectInfo) NewAdminSecretsAddTlsCmd() *cobra.Command { return c } -type AdminSecretsAddCaOptions struct { +type LocalSecretsAddCaOptions struct { CertFile string IngressDomain string } -func (o *AdminSecretsAddCaOptions) Run(name string) error { +func (o *LocalSecretsAddCaOptions) Run(name string) error { var err error var matched bool @@ -228,8 +227,7 @@ func (o *AdminSecretsAddCaOptions) Run(name string) error { return errors.Wrap(err, "failed to generate YAML data") } - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") err = os.MkdirAll(secretsCacheDir, os.ModePerm) @@ -256,8 +254,8 @@ func (o *AdminSecretsAddCaOptions) Run(name string) error { return nil } -func (p *ProjectInfo) NewAdminSecretsAddCaCmd() *cobra.Command { - var o AdminSecretsAddCaOptions +func (p *ProjectInfo) NewLocalSecretsAddCaCmd() *cobra.Command { + var o LocalSecretsAddCaOptions var c = &cobra.Command{ Args: cobra.ExactArgs(1), @@ -284,14 +282,14 @@ func (p *ProjectInfo) NewAdminSecretsAddCaCmd() *cobra.Command { return c } -type AdminSecretsAddDockerRegistryOptions struct { +type LocalSecretsAddDockerRegistryOptions struct { Server string Username string Password string Email string } -func (o *AdminSecretsAddDockerRegistryOptions) Run(name string) error { +func (o *LocalSecretsAddDockerRegistryOptions) Run(name string) error { var err error var matched bool @@ -340,8 +338,7 @@ func (o *AdminSecretsAddDockerRegistryOptions) Run(name string) error { return errors.Wrap(err, "failed to generate YAML data") } - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") err = os.MkdirAll(secretsCacheDir, os.ModePerm) @@ -368,8 +365,8 @@ func (o *AdminSecretsAddDockerRegistryOptions) Run(name string) error { return nil } -func (p *ProjectInfo) NewAdminSecretsAddDockerRegistryCmd() *cobra.Command { - var o AdminSecretsAddDockerRegistryOptions +func (p *ProjectInfo) NewLocalSecretsAddDockerRegistryCmd() *cobra.Command { + var o LocalSecretsAddDockerRegistryOptions var c = &cobra.Command{ Args: cobra.ExactArgs(1), @@ -408,17 +405,17 @@ func (p *ProjectInfo) NewAdminSecretsAddDockerRegistryCmd() *cobra.Command { return c } -type AdminSecretsAddGenericOptions struct { +type LocalSecretsAddGenericOptions struct { FileSources []string LiteralSources []string } -func (o *AdminSecretsAddGenericOptions) Run(name string) error { +func (o *LocalSecretsAddGenericOptions) Run(name string) error { return nil } -func (p *ProjectInfo) NewAdminSecretsAddGenericCmd() *cobra.Command { - var o AdminSecretsAddGenericOptions +func (p *ProjectInfo) NewLocalSecretsAddGenericCmd() *cobra.Command { + var o LocalSecretsAddGenericOptions var c = &cobra.Command{ Args: cobra.ExactArgs(1), diff --git a/client-programs/pkg/cmd/local_secrets_cmd_group.go b/client-programs/pkg/cmd/local_secrets_cmd_group.go new file mode 100644 index 000000000..e26acc7a2 --- /dev/null +++ b/client-programs/pkg/cmd/local_secrets_cmd_group.go @@ -0,0 +1,37 @@ +package cmd + +import ( + "github.com/spf13/cobra" + "k8s.io/kubectl/pkg/util/templates" +) + +func (p *ProjectInfo) NewLocalSecretsCmdGroup() *cobra.Command { + var c = &cobra.Command{ + Use: "secrets", + Short: "Manage local secrets cache", + } + + // Use a command group as it allows us to dictate the order in which they + // are displayed in the help message, as otherwise they are displayed in + // sort order. + + commandGroups := templates.CommandGroups{ + { + Message: "Available Commands:", + Commands: []*cobra.Command{ + p.NewLocalSecretsAddCmdGroup(), + p.NewLocalSecretsListCmd(), + p.NewLocalSecretsExportCmd(), + p.NewLocalSecretsImportCmd(), + p.NewLocalSecretsSyncCmd(), + p.NewLocalSecretsRemoveCmd(), + }, + }, + } + + commandGroups.Add(c) + + templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) + + return c +} diff --git a/client-programs/pkg/cmd/local_secrets_export_cmd.go b/client-programs/pkg/cmd/local_secrets_export_cmd.go new file mode 100644 index 000000000..4694295c1 --- /dev/null +++ b/client-programs/pkg/cmd/local_secrets_export_cmd.go @@ -0,0 +1,37 @@ +package cmd + +import ( + "os" + "path" + + "github.com/pkg/errors" + "github.com/spf13/cobra" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" +) + +func (p *ProjectInfo) NewLocalSecretsExportCmd() *cobra.Command { + var c = &cobra.Command{ + Args: cobra.ArbitraryArgs, + Use: "export [NAME]", + Short: "Export secrets in the cache", + RunE: func(_ *cobra.Command, args []string) error { + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") + + err := os.MkdirAll(secretsCacheDir, os.ModePerm) + + if err != nil { + return errors.Wrapf(err, "unable to create secrets cache directory") + } + + err = utils.PrintYamlFilesInDir(secretsCacheDir, args) + if err != nil { + return errors.Wrapf(err, "unable to read secrets cache directory") + } + + return nil + }, + } + + return c +} diff --git a/client-programs/pkg/cmd/admin_secrets_import_cmd.go b/client-programs/pkg/cmd/local_secrets_import_cmd.go similarity index 89% rename from client-programs/pkg/cmd/admin_secrets_import_cmd.go rename to client-programs/pkg/cmd/local_secrets_import_cmd.go index 85bad3e34..68c67ad18 100644 --- a/client-programs/pkg/cmd/admin_secrets_import_cmd.go +++ b/client-programs/pkg/cmd/local_secrets_import_cmd.go @@ -7,9 +7,9 @@ import ( "regexp" "syscall" - "github.com/adrg/xdg" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" apiv1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" @@ -17,13 +17,12 @@ import ( "sigs.k8s.io/yaml" ) -type AdminSecretsImportOptions struct { +type LocalSecretsImportOptions struct { File string } -func (o *AdminSecretsImportOptions) Run() error { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") +func (o *LocalSecretsImportOptions) Run() error { + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") err := os.MkdirAll(secretsCacheDir, os.ModePerm) @@ -106,8 +105,8 @@ func (o *AdminSecretsImportOptions) Run() error { return nil } -func (p *ProjectInfo) NewAdminSecretsImportCmd() *cobra.Command { - var o AdminSecretsImportOptions +func (p *ProjectInfo) NewLocalSecretsImportCmd() *cobra.Command { + var o LocalSecretsImportOptions var c = &cobra.Command{ Args: cobra.ArbitraryArgs, diff --git a/client-programs/pkg/cmd/admin_secrets_list_cmd.go b/client-programs/pkg/cmd/local_secrets_list_cmd.go similarity index 77% rename from client-programs/pkg/cmd/admin_secrets_list_cmd.go rename to client-programs/pkg/cmd/local_secrets_list_cmd.go index b73ebd3e1..0cf9b4ebd 100644 --- a/client-programs/pkg/cmd/admin_secrets_list_cmd.go +++ b/client-programs/pkg/cmd/local_secrets_list_cmd.go @@ -6,19 +6,18 @@ import ( "path" "strings" - "github.com/adrg/xdg" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) -func (p *ProjectInfo) NewAdminSecretsListCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalSecretsListCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.NoArgs, Use: "list", Short: "List secrets in the cache", RunE: func(_ *cobra.Command, _ []string) error { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") err := os.MkdirAll(secretsCacheDir, os.ModePerm) diff --git a/client-programs/pkg/cmd/admin_secrets_remove_cmd.go b/client-programs/pkg/cmd/local_secrets_remove_cmd.go similarity index 76% rename from client-programs/pkg/cmd/admin_secrets_remove_cmd.go rename to client-programs/pkg/cmd/local_secrets_remove_cmd.go index 29c04c2fc..dfff72c64 100644 --- a/client-programs/pkg/cmd/admin_secrets_remove_cmd.go +++ b/client-programs/pkg/cmd/local_secrets_remove_cmd.go @@ -5,12 +5,12 @@ import ( "path" "regexp" - "github.com/adrg/xdg" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) -func (p *ProjectInfo) NewAdminSecretsRemoveCmd() *cobra.Command { +func (p *ProjectInfo) NewLocalSecretsRemoveCmd() *cobra.Command { var c = &cobra.Command{ Args: cobra.ExactArgs(1), Use: "remove NAME", @@ -29,8 +29,7 @@ func (p *ProjectInfo) NewAdminSecretsRemoveCmd() *cobra.Command { return errors.Errorf("invalid secret name %q", name) } - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") + secretsCacheDir := path.Join(utils.GetEducatesHomeDir(), "secrets") secretFilePath := path.Join(secretsCacheDir, name+".yaml") diff --git a/client-programs/pkg/cmd/admin_secrets_sync_cmd.go b/client-programs/pkg/cmd/local_secrets_sync_cmd.go similarity index 52% rename from client-programs/pkg/cmd/admin_secrets_sync_cmd.go rename to client-programs/pkg/cmd/local_secrets_sync_cmd.go index be7b47077..09a332c06 100644 --- a/client-programs/pkg/cmd/admin_secrets_sync_cmd.go +++ b/client-programs/pkg/cmd/local_secrets_sync_cmd.go @@ -4,14 +4,19 @@ import ( "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/secrets" ) -type AdminSecretsSyncOptions struct { - Kubeconfig string +type LocalSecretsSyncOptions struct { + KubeconfigOptions } -func (o *AdminSecretsSyncOptions) Run() error { - clusterConfig := cluster.NewClusterConfig(o.Kubeconfig) +func (o *LocalSecretsSyncOptions) Run() error { + clusterConfig, err := cluster.NewClusterConfigIfAvailable(o.Kubeconfig, o.Context) + + if err != nil { + return err + } client, err := clusterConfig.GetClient() @@ -19,11 +24,11 @@ func (o *AdminSecretsSyncOptions) Run() error { return errors.Wrapf(err, "unable to create Kubernetes client") } - return SyncSecretsToCluster(client) + return secrets.SyncLocalCachedSecretsToCluster(client) } -func (p *ProjectInfo) NewAdminSecretsSyncCmd() *cobra.Command { - var o AdminSecretsSyncOptions +func (p *ProjectInfo) NewLocalSecretsSyncCmd() *cobra.Command { + var o LocalSecretsSyncOptions var c = &cobra.Command{ Args: cobra.NoArgs, @@ -39,5 +44,12 @@ func (p *ProjectInfo) NewAdminSecretsSyncCmd() *cobra.Command { "kubeconfig file to use instead of $KUBECONFIG or $HOME/.kube/config", ) + c.Flags().StringVar( + &o.Context, + "context", + "", + "Context to use from Kubeconfig", + ) + return c } diff --git a/client-programs/pkg/cmd/types.go b/client-programs/pkg/cmd/types.go new file mode 100644 index 000000000..28b3355a0 --- /dev/null +++ b/client-programs/pkg/cmd/types.go @@ -0,0 +1,6 @@ +package cmd + +type KubeconfigOptions struct { + Kubeconfig string + Context string +} diff --git a/client-programs/pkg/cmd/workshop_export_cmd.go b/client-programs/pkg/cmd/workshop_export_cmd.go index f4c0beed0..51a706bd2 100644 --- a/client-programs/pkg/cmd/workshop_export_cmd.go +++ b/client-programs/pkg/cmd/workshop_export_cmd.go @@ -6,9 +6,9 @@ import ( "path/filepath" "strings" + yttcmd "carvel.dev/ytt/pkg/cmd/template" "github.com/pkg/errors" "github.com/spf13/cobra" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" "gopkg.in/yaml.v2" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" diff --git a/client-programs/pkg/cmd/workshop_publish_cmd.go b/client-programs/pkg/cmd/workshop_publish_cmd.go index 1831983ad..b802d8e2f 100644 --- a/client-programs/pkg/cmd/workshop_publish_cmd.go +++ b/client-programs/pkg/cmd/workshop_publish_cmd.go @@ -9,16 +9,16 @@ import ( "strings" "time" + imgpkgcmd "carvel.dev/imgpkg/pkg/imgpkg/cmd" + "carvel.dev/kapp/pkg/kapp/cmd" + vendirsync "carvel.dev/vendir/pkg/vendir/cmd" + yttcmd "carvel.dev/ytt/pkg/cmd/template" + yttcmdui "carvel.dev/ytt/pkg/cmd/ui" + "carvel.dev/ytt/pkg/files" + "carvel.dev/ytt/pkg/yamlmeta" "github.com/cppforlife/go-cli-ui/ui" "github.com/pkg/errors" "github.com/spf13/cobra" - imgpkgcmd "github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/cmd" - "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd" - vendirsync "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/cmd" - yttcmd "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/template" - yttcmdui "github.com/vmware-tanzu/carvel-ytt/pkg/cmd/ui" - "github.com/vmware-tanzu/carvel-ytt/pkg/files" - "github.com/vmware-tanzu/carvel-ytt/pkg/yamlmeta" "gopkg.in/yaml.v2" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -240,6 +240,9 @@ func (o *FilesPublishOptions) Publish(directory string) error { return errors.Wrap(err, "unable to push image artifact for workshop") } + // We add a newline to output for better readability. + fmt.Println() + // Export modified workshop definition file. exportWorkshop := o.ExportWorkshop diff --git a/client-programs/pkg/config/host.go b/client-programs/pkg/config/host.go index fe278d90c..49fc6001e 100644 --- a/client-programs/pkg/config/host.go +++ b/client-programs/pkg/config/host.go @@ -1,6 +1,7 @@ package config import ( + "fmt" "net" "github.com/pkg/errors" @@ -42,3 +43,13 @@ func HostIP() (string, error) { } return "", errors.New("are you connected to the network?") } + +func GetHostIpAsDns() string { + localIPAddress, err := HostIP() + + if err != nil { + localIPAddress = "127.0.0.1" + } + + return fmt.Sprintf("%s.nip.io", localIPAddress) +} diff --git a/client-programs/pkg/config/installationconfig.go b/client-programs/pkg/config/installationconfig.go index 661124ff4..3d7cf1c1a 100644 --- a/client-programs/pkg/config/installationconfig.go +++ b/client-programs/pkg/config/installationconfig.go @@ -1,43 +1,90 @@ package config import ( - "fmt" "os" "path" - "github.com/adrg/xdg" "github.com/pkg/errors" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/secrets" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" "gopkg.in/yaml.v2" ) type VolumeMountConfig struct { HostPath string `yaml:"hostPath"` ContainerPath string `yaml:"containerPath"` - ReadOnly bool `yaml:"readOnly,omitempty"` + ReadOnly *bool `yaml:"readOnly,omitempty"` } type LocalKindClusterConfig struct { ListenAddress string `yaml:"listenAddress,omitempty"` + ApiServer KindApiServerConfig `yaml:"apiServer,omitempty"` VolumeMounts []VolumeMountConfig `yaml:"volumeMounts,omitempty"` } +type KindApiServerConfig struct { + Address string `yaml:"address,omitempty"` + Port int `yaml:"port,omitempty"` +} + type LocalDNSResolverConfig struct { TargetAddress string `yaml:"targetAddress,omitempty"` ExtraDomains []string `yaml:"extraDomains,omitempty"` } +type AwsClusterInfrastructureIRSARolesConfig struct { + ExternalDns string `yaml:"external-dns"` + CertManager string `yaml:"cert-manager"` +} + +type AwsClusterInfrastructureConfig struct { + AwsId string `yaml:"awsId,omitempty"` + Region string `yaml:"region"` + Route53Zone Route53ZoneConfig `yaml:"route53,omitempty"` + ClusterName string `yaml:"clusterName,omitempty"` + IRSARoles AwsClusterInfrastructureIRSARolesConfig `yaml:"irsaRoles,omitempty"` +} + +type Route53ZoneConfig struct { + HostedZoneId string `yaml:"hostedZone"` +} + +type GcpClusterInfrastructureWorkloadIdentitiesConfig struct { + ExternalDns string `yaml:"external-dns"` + CertManager string `yaml:"cert-manager"` +} + +type CloudDNSConfig struct { + Zone string `yaml:"zone,omitempty"` +} + +type GcpClusterInfrastructureConfig struct { + Project string `yaml:"project,omitempty"` + CloudDNS CloudDNSConfig `yaml:"cloudDNS,omitempty"` + IRSARoles GcpClusterInfrastructureWorkloadIdentitiesConfig `yaml:"workloadIdentity,omitempty"` +} + type ClusterInfrastructureConfig struct { - Provider string `yaml:"provider"` + // This can be only "kind", "eks", "gke" "custom" for now + Provider string `yaml:"provider"` + AWS AwsClusterInfrastructureConfig `yaml:"aws,omitempty"` + GCP GcpClusterInfrastructureConfig `yaml:"gcp,omitempty"` + CertificateRef CACertificateRefConfig `yaml:"caCertificateRef,omitempty"` } type PackageConfig struct { - Enabled bool `yaml:"enabled"` + Enabled *bool `yaml:"enabled,omitempty"` Settings map[string]interface{} `yaml:"settings"` } + type ClusterPackagesConfig struct { - Contour PackageConfig `yaml:"contour"` - Kyverno PackageConfig `yaml:"kyverno"` - MetaController PackageConfig `yaml:"metacontroller,omitempty"` + Contour PackageConfig `yaml:"contour,omitempty"` + CertManager PackageConfig `yaml:"cert-manager,omitempty"` + ExternalDns PackageConfig `yaml:"external-dns,omitempty"` + Certs PackageConfig `yaml:"certs,omitempty"` + Kyverno PackageConfig `yaml:"kyverno,omitempty"` + KappController PackageConfig `yaml:"kapp-controller,omitempty"` + Educates PackageConfig `yaml:"educates,omitempty"` } type TLSCertificateConfig struct { @@ -60,7 +107,7 @@ type CACertificateRefConfig struct { } type CANodeInjectorConfig struct { - Enabled bool `yaml:"enabled"` + Enabled *bool `yaml:"enabled"` } type ClusterRuntimeConfig struct { @@ -111,8 +158,18 @@ type TrainingPortalCredentialsConfig struct { Robot UserCredentialsConfig `yaml:"robot,omitempty"` } +type UserClientConfig struct { + Id string `yaml:"id"` + Secret string `yaml:"secret"` +} + +type TrainingPortalClientsConfig struct { + Robot UserClientConfig `yaml:"robot,omitempty"` +} + type TrainingPortalConfig struct { Credentials TrainingPortalCredentialsConfig `yaml:"credentials,omitempty"` + Clients TrainingPortalClientsConfig `yaml:"clients,omitempty"` } type WorkshopSecurityConfig struct { @@ -136,8 +193,8 @@ type ProxyCacheConfig struct { } type DockerDaemonConfig struct { NetworkMTU int `yaml:"networkMTU,omitempty"` - Rootless bool `yaml:"rootless,omitempty"` - Privileged bool `yaml:"privileged,omitempty"` + Rootless *bool `yaml:"rootless,omitempty"` + Privileged *bool `yaml:"privileged,omitempty"` ProxyCache ProxyCacheConfig `yaml:"proxyCache,omitempty"` } @@ -194,6 +251,16 @@ type WebsiteStylingConfig struct { FrameAncestors []string `yaml:"frameAncestors,omitempty"` } +type ImagePullerConfig struct { + Enabled *bool `yaml:"enabled"` + PrePullImages []string `yaml:"prePullImages,omitempty"` +} + +type LookupServiceConfig struct { + Enabled *bool `yaml:"enabled"` + IngressPrefix string `yaml:"ingressPrefix,omitempty"` +} + type ClusterEssentialsConfig struct { ClusterInfrastructure ClusterInfrastructureConfig `yaml:"clusterInfrastructure,omitempty"` ClusterPackages ClusterPackagesConfig `yaml:"clusterPackages,omitempty"` @@ -210,14 +277,18 @@ type TrainingPlatformConfig struct { TrainingPortal TrainingPortalConfig `yaml:"trainingPortal,omitempty"` WorkshopSecurity WorkshopSecurityConfig `yaml:"workshopSecurity,omitempty"` ImageRegistry ImageRegistryConfig `yaml:"imageRegistry,omitempty"` + Version string `yaml:"version,omitempty"` ImageVersions []ImageVersionConfig `yaml:"imageVersions,omitempty"` DockerDaemon DockerDaemonConfig `yaml:"dockerDaemon,omitempty"` ClusterNetwork ClusterNetworkConfig `yaml:"clusterNetwork,omitempty"` WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` + ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` + LookupService LookupServiceConfig `yaml:"lookupService,omitempty"` } type InstallationConfig struct { + Debug *bool `yaml:"debug,omitempty"` LocalKindCluster LocalKindClusterConfig `yaml:"localKindCluster,omitempty"` LocalDNSResolver LocalDNSResolverConfig `yaml:"localDNSResolver,omitempty"` ClusterInfrastructure ClusterInfrastructureConfig `yaml:"clusterInfrastructure,omitempty"` @@ -231,37 +302,43 @@ type InstallationConfig struct { TrainingPortal TrainingPortalConfig `yaml:"trainingPortal,omitempty"` WorkshopSecurity WorkshopSecurityConfig `yaml:"workshopSecurity,omitempty"` ImageRegistry ImageRegistryConfig `yaml:"imageRegistry,omitempty"` + Version string `yaml:"version,omitempty"` ImageVersions []ImageVersionConfig `yaml:"imageVersions,omitempty"` DockerDaemon DockerDaemonConfig `yaml:"dockerDaemon,omitempty"` ClusterNetwork ClusterNetworkConfig `yaml:"clusterNetwork,omitempty"` WorkshopAnalytics WorkshopAnalyticsConfig `yaml:"workshopAnalytics,omitempty"` WebsiteStyling WebsiteStylingConfig `yaml:"websiteStyling,omitempty"` + ImagePuller ImagePullerConfig `yaml:"imagePuller,omitempty"` + LookupService LookupServiceConfig `yaml:"lookupService,omitempty"` } -func NewDefaultInstallationConfig() *InstallationConfig { - localIPAddress, err := HostIP() +type EducatesDomainStruct struct { + ClusterIngress ClusterIngressConfig `yaml:"clusterIngress,omitempty"` +} - if err != nil { - localIPAddress = "127.0.0.1" - } +const NULL_CONFIG_FILE = "NULL" +func NewDefaultInstallationConfig() *InstallationConfig { return &InstallationConfig{ ClusterInfrastructure: ClusterInfrastructureConfig{ Provider: "", }, ClusterPackages: ClusterPackagesConfig{ Contour: PackageConfig{ - Enabled: true, + Enabled: utils.BoolPointer(true), }, Kyverno: PackageConfig{ - Enabled: true, + Enabled: utils.BoolPointer(true), + }, + Educates: PackageConfig{ + Enabled: utils.BoolPointer(true), }, }, ClusterSecurity: ClusterSecurityConfig{ PolicyEngine: "kyverno", }, ClusterIngress: ClusterIngressConfig{ - Domain: fmt.Sprintf("%s.nip.io", localIPAddress), + Domain: GetHostIpAsDns(), }, WorkshopSecurity: WorkshopSecurityConfig{ RulesEngine: "kyverno", @@ -269,31 +346,137 @@ func NewDefaultInstallationConfig() *InstallationConfig { } } +func NewInstallationConfigFromUserFile() (*InstallationConfig, error) { + config := &InstallationConfig{} + + valuesFile := path.Join(utils.GetEducatesHomeDir(), "values.yaml") + + data, err := os.ReadFile(valuesFile) + + if err == nil && len(data) != 0 { + if err := yaml.UnmarshalStrict(data, &config); err != nil { + return nil, errors.Wrapf(err, "unable to parse default config file %s", valuesFile) + } + } else { + config = NewDefaultInstallationConfig() + } + + return config, nil +} + func NewInstallationConfigFromFile(configFile string) (*InstallationConfig, error) { - config := NewDefaultInstallationConfig() + config := &InstallationConfig{} - if configFile != "" { - data, err := os.ReadFile(configFile) + data, err := os.ReadFile(configFile) - if err != nil { - return nil, errors.Wrapf(err, "failed to read installation config file %s", configFile) + if err != nil { + return nil, errors.Wrapf(err, "failed to read installation config file %s", configFile) + } + + if err := yaml.UnmarshalStrict(data, &config); err != nil { + return nil, errors.Wrapf(err, "unable to parse installation config file %s", configFile) + } + + return config, nil +} + +func ConfigForLocalClusters(configFile string, domain string, local bool) (fullConfig *InstallationConfig, err error) { + if configFile == NULL_CONFIG_FILE { + fullConfig = NewDefaultInstallationConfig() + } else if configFile != "" { + fullConfig, err = NewInstallationConfigFromFile(configFile) + } else { + fullConfig, err = NewInstallationConfigFromUserFile() + } + + if err != nil { + return nil, err + } + + if local { + if fullConfig.ClusterInfrastructure.Provider != "" && + fullConfig.ClusterInfrastructure.Provider != "kind" && + fullConfig.ClusterInfrastructure.Provider != "custom" { + return nil, errors.New("Only kind or custom providers are supported for local clusters. If not provided, will default to kind") } - if err := yaml.Unmarshal(data, &config); err != nil { - return nil, errors.Wrapf(err, "unable to parse installation config file %s", configFile) + if fullConfig.ClusterInfrastructure.Provider == "" { + fullConfig.ClusterInfrastructure.Provider = "kind" } - } else { - configFileDir := path.Join(xdg.DataHome, "educates") - valuesFile := path.Join(configFileDir, "values.yaml") + } + + if domain != "" { + fullConfig.ClusterIngress.Domain = domain + } + + // We do resolve domain configuration precedence here + fullConfig.ClusterIngress.Domain = EducatesDomain(fullConfig) - data, err := os.ReadFile(valuesFile) + if local { + // This augments the installation config with the secrets that are cached locally + if secretName := secrets.LocalCachedSecretForIngressDomain(fullConfig.ClusterIngress.Domain); secretName != "" { + fullConfig.ClusterIngress.TLSCertificateRef.Namespace = "educates-secrets" + fullConfig.ClusterIngress.TLSCertificateRef.Name = secretName + } + + if secretName := secrets.LocalCachedSecretForCertificateAuthority(fullConfig.ClusterIngress.Domain); secretName != "" { + fullConfig.ClusterIngress.CACertificateRef.Namespace = "educates-secrets" + fullConfig.ClusterIngress.CACertificateRef.Name = secretName + } + } + + if err := ValidateProvider(fullConfig.ClusterInfrastructure.Provider); err != nil { + return nil, err + } + + return fullConfig, nil +} - if err == nil && len(data) != 0 { - if err := yaml.Unmarshal(data, &config); err != nil { - return nil, errors.Wrapf(err, "unable to parse default config file %s", valuesFile) +/** + * This function will return the configured educates Domain in the following order: + * 1. If the domain is set in the installation config, it will return that + * 2. If the domain is set in the Educates Package, it will return that + * 4. If none of the above are set, it will return the host IP as a DNS + */ +func EducatesDomain(config *InstallationConfig) string { + if config.ClusterIngress.Domain != "" { + return config.ClusterIngress.Domain + } + // Access config.ClusterPackages.Educates.Settings["ClusterConfig"] and see if there's a value + if educatesDomain, ok := config.ClusterPackages.Educates.Settings["clusterIngress"]; ok { + // Access educatesDomain.(map[string]interface{})["domain"] and return that + p := map[string]interface{}{} + if educatesDomainBytes, err := yaml.Marshal(educatesDomain); err == nil { + yaml.Unmarshal(educatesDomainBytes, &p) + if domain, ok := p["domain"].(string); ok { + return domain } } } + return GetHostIpAsDns() +} - return config, nil +func PrintConfigToStdout(config *InstallationConfig) error { + data, err := yaml.Marshal(config) + + if err != nil { + return errors.Wrap(err, "failed to marshal installation config") + } + + // fmt.Println("Configuration to be applied:") + // fmt.Println("-------------------------------") + // fmt.Println(string(data)) + os.Stdout.Write(data) + // fmt.Println("###############################") + + return nil +} + +func ValidateProvider(provider string) error { + switch provider { + case "eks", "kind", "gke", "custom", "vcluster", "generic": + return nil + default: + return errors.New("Invalid ClusterInsfrastructure Provider. Valid values are (eks, gke, kind, custom, vcluster, generic)") + } } diff --git a/client-programs/pkg/diagnostics/compress.go b/client-programs/pkg/diagnostics/compress.go new file mode 100644 index 000000000..1b0c575f2 --- /dev/null +++ b/client-programs/pkg/diagnostics/compress.go @@ -0,0 +1,85 @@ +package diagnostics + +import ( + "archive/tar" + "compress/gzip" + "io" + "os" + "path/filepath" + + "github.com/pkg/errors" +) + +func CompressDirToFile(tempDir string, targetFile string) error { + // Compress the directory into the file provided + out, err := os.Create(targetFile) + if err != nil { + errors.Errorf("Error writing archive:", err) + } + defer out.Close() + + files, err := filepath.Glob(filepath.Join(tempDir, "*")) + if err != nil { + return err + } + + gw := gzip.NewWriter(out) + defer gw.Close() + tw := tar.NewWriter(gw) + defer tw.Close() + + // Iterate over files and add them to the tar archive + for _, file := range files { + err := addToArchive(tw, file, tempDir) + if err != nil { + return err + } + } + + return nil +} + +func addToArchive(tw *tar.Writer, filename string, dir string) error { + // Open the file which will be written into the archive + file, err := os.Open(filename) + if err != nil { + return err + } + defer file.Close() + + // Get FileInfo about our file providing file size, mode, etc. + info, err := file.Stat() + if err != nil { + return err + } + + // Create a tar Header from the FileInfo data + header, err := tar.FileInfoHeader(info, info.Name()) + if err != nil { + return err + } + + // Use full path as name (FileInfoHeader only takes the basename) + // If we don't do this the directory strucuture would + // not be preserved + // https://golang.org/src/archive/tar/common.go?#L626 + // remove from filename the c.Dir + header.Name, err = filepath.Rel(dir, filename) + if err != nil { + return err + } + + // Write file header to the tar archive + err = tw.WriteHeader(header) + if err != nil { + return err + } + + // Copy file content to tar archive + _, err = io.Copy(tw, file) + if err != nil { + return err + } + + return nil +} diff --git a/client-programs/pkg/diagnostics/diagnostics.go b/client-programs/pkg/diagnostics/diagnostics.go new file mode 100644 index 000000000..4d533be85 --- /dev/null +++ b/client-programs/pkg/diagnostics/diagnostics.go @@ -0,0 +1,200 @@ +package diagnostics + +import ( + "fmt" + "io" + "os" + "path/filepath" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" +) + +type ClusterDiagnostics struct { + clusterConfig *cluster.ClusterConfig + dest string + verbose bool +} + +func NewClusterDiagnostics(clusterConfig *cluster.ClusterConfig, dest string, verbose bool) *ClusterDiagnostics { + return &ClusterDiagnostics{clusterConfig, dest, verbose} +} + +func (c *ClusterDiagnostics) Run() error { + // Check if the cluster is available + if err := cluster.IsClusterAvailableCheck(c.clusterConfig); err != nil { + return err + } + + tempDir, err := createTempDir() + if err != nil { + return err + } + defer os.RemoveAll(tempDir) + + clusterDiagnosticsFetcher := &ClusterDiagnosticsFetcher{c.clusterConfig, tempDir, c.verbose} + + // Fetch all Educates training related resources + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(trainingportalResource, "training-portals.yaml"); err != nil { + fmt.Println("Error fetching training portals: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(workshopResource, "workshops.yaml"); err != nil { + fmt.Println("Error fetching workshops: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(workshopsessionsResource, "workshop-sessions.yaml"); err != nil { + fmt.Println("Error fetching workshop sessions: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(workshoprequestsResource, "workshop-requests.yaml"); err != nil { + fmt.Println("Error fetching workshop requests: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(workshopenvironmentsResource, "workshop-environments.yaml"); err != nil { + fmt.Println("Error fetching workshop environments: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(workshopallocationsResource, "workshop-allocations.yaml"); err != nil { + fmt.Println("Error fetching workshop allocations: ", err) + } + + // getEducatesNamespaces + if err = clusterDiagnosticsFetcher.getEducatesNamespaces("educates-namespaces.yaml"); err != nil { + fmt.Println("Error fetching educates namespaces: ", err) + } + + // Fetch all Educates secrets related resources + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(secretcopierResource, "secret-copiers.yaml"); err != nil { + fmt.Println("Error fetching secret copiers: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(secretinjectorsResource, "secret-injectors.yaml"); err != nil { + fmt.Println("Error fetching secret injectors: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(secretexportersResource, "secret-exporters.yaml"); err != nil { + fmt.Println("Error fetching secret injectors: ", err) + } + if err = clusterDiagnosticsFetcher.fetchDynamicallyResources(secretimportersResource, "secret-importers.yaml"); err != nil { + fmt.Println("Error fetching secret injectors: ", err) + } + + // fetch logs for the session-manager, secret-manager deploymentments + if err = clusterDiagnosticsFetcher.fetchLogsForDeployment("deployment=session-manager", "educates", "session-manager.log"); err != nil { + fmt.Println("Error fetching logs for session-manager: ", err) + } + if err = clusterDiagnosticsFetcher.fetchLogsForDeployment("deployment=secrets-manager", "educates", "secrets-manager.log"); err != nil { + fmt.Println("Error fetching logs for secrets-manager: ", err) + } + // dump logs for all training-portal deployments + if err = clusterDiagnosticsFetcher.fetchLogsForDeployment("deployment=training-portal", "training.educates.dev/component=portal", "training-portal-%v.log"); err != nil { + fmt.Println("Error fetching logs for secrets-manager: ", err) + } + // Fetch workshop_list from Rest API for each training-portal + if err = clusterDiagnosticsFetcher.fetchTrainingPortalDetailsAtRest("training-portal-catalog-%v.json"); err != nil { + fmt.Println("Error fetching training portal details at Rest: ", err) + } + + // Fetch Educates related events + if err = clusterDiagnosticsFetcher.getEducatesNamespacesEvents("educates-events.yaml"); err != nil { + fmt.Println("Error fetching educates namespaces: ", err) + } + + // If directory is provided, check that it exists otherwise create it + dir, file, err := getDestDirAndFile(c.dest) + if err != nil { + return err + } + + // if file is provided, compress the directory and save it to the file + // else, copy all the files from the tempDir to the provided directory + if file != "" { + err = CompressDirToFile(tempDir, c.dest) + if err != nil { + return err + } + fmt.Println("Diagnostics files saved to file: ", c.dest) + } else { + copyAllFilesInDir(tempDir, dir) + fmt.Println("Diagnostics files saved to dir: ", dir) + } + + fmt.Println("Diagnostics completed successfully") + return nil +} + +// func (c *ClusterDiagnostics) checkDestination() error { +// if c.dir == "" { +// // Create a temporary directory +// tempDir, err := os.MkdirTemp("", "educates-diagnostics") +// if err != nil { +// return err +// } +// fmt.Println("Created temp dir: ", tempDir) +// c.dir = tempDir +// } else { +// // Check if the directory exists +// _, err := os.Stat(c.dir) +// if os.IsNotExist(err) { +// // Create the directory +// err := os.MkdirAll(c.dir, 0755) +// if err != nil { +// return err +// } +// } +// } + +// return nil +// } + +func createTempDir() (string, error) { + tempDir, err := os.MkdirTemp("", "educates-diagnostics") + if err != nil { + return "", err + } + return tempDir, nil +} + +func getDestDirAndFile(dest string) (string, string, error) { + if dest == "" { + return "", "", fmt.Errorf("dest is required") + } + if filepath.Ext(dest) == ".tar.gz" { + return filepath.Dir(dest), filepath.Base(dest), nil + } else if filepath.Ext(dest) == "" { + return dest, "", nil + } else { + return "", "", fmt.Errorf("dest must be a directory or a .tar.gz file") + } +} + +func copyAllFilesInDir(src string, dest string) error { + return filepath.Walk(src, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + // We only copy the files in the temp directory, if it's a dir, we skip it + if info.IsDir() { + return nil + } + // Get the relative path of the file + relPath, err := filepath.Rel(src, path) + if err != nil { + return err + } + // Create the destination path + destPath := filepath.Join(dest, relPath) + + // Create the directory if it doesn't exist + if err := os.MkdirAll(filepath.Dir(destPath), 0755); err != nil { + return err + } + + // Copy the file + srcFile, err := os.Open(path) + if err != nil { + return err + } + defer srcFile.Close() + destFile, err := os.Create(destPath) + if err != nil { + return err + } + defer destFile.Close() + _, err = io.Copy(destFile, srcFile) + return err + }) +} diff --git a/client-programs/pkg/diagnostics/fetcher.go b/client-programs/pkg/diagnostics/fetcher.go new file mode 100644 index 000000000..76b766f53 --- /dev/null +++ b/client-programs/pkg/diagnostics/fetcher.go @@ -0,0 +1,271 @@ +package diagnostics + +import ( + "context" + "encoding/json" + "fmt" + "io" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/educatesrestapi" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/cli-runtime/pkg/printers" +) + +var workshopResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshops"} +var trainingportalResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "trainingportals"} +var workshopsessionsResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshopsessions"} +var workshoprequestsResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshoprequests"} +var workshopenvironmentsResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshopenvironments"} +var workshopallocationsResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshopallocations"} +var secretcopierResource = schema.GroupVersionResource{Group: "secrets.educates.dev", Version: "v1beta1", Resource: "secretcopiers"} +var secretinjectorsResource = schema.GroupVersionResource{Group: "secrets.educates.dev", Version: "v1beta1", Resource: "secretinjectors"} +var secretexportersResource = schema.GroupVersionResource{Group: "secrets.educates.dev", Version: "v1beta1", Resource: "secretexporters"} +var secretimportersResource = schema.GroupVersionResource{Group: "secrets.educates.dev", Version: "v1beta1", Resource: "secretimporters"} + +type ClusterDiagnosticsFetcher struct { + clusterConfig *cluster.ClusterConfig + tempDir string + verbose bool +} + +func (c *ClusterDiagnosticsFetcher) getEducatesNamespaces(fileName string) error { + client, err := c.clusterConfig.GetClient() + if err != nil { + return err + } + + namespaces, err := client.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{ + // LabelSelector: "training.educates.dev/component", + }) + if err != nil { + return err + } + + newFile, err := os.Create(filepath.Join(c.tempDir, fileName)) + if err != nil { + return err + } + defer newFile.Close() + + y := printers.YAMLPrinter{} + for _, object := range namespaces.Items { + object.SetManagedFields(nil) // Remove managedFields from the object + // We need to add the GroupVersionKind to the object, as it is not set by default. See: https://github.com/kubernetes-sigs/controller-runtime/issues/1517 + object.GetObjectKind().SetGroupVersionKind(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"}) + if err := y.PrintObj(&object, newFile); err != nil { + return err + } + } + + if c.verbose { + fmt.Printf("Educates namespaces saved in file: %v\n", fileName) + } + + return nil +} + +// TODO: Print events in a more human readable format +func (c *ClusterDiagnosticsFetcher) getEducatesNamespacesEvents(fileName string) error { + client, err := c.clusterConfig.GetClient() + if err != nil { + return err + } + + namespaces, err := client.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return err + } + + newFile, err := os.Create(filepath.Join(c.tempDir, fileName)) + if err != nil { + return err + } + defer newFile.Close() + + y := printers.YAMLPrinter{} + for _, namespace := range namespaces.Items { + if !strings.HasPrefix(namespace.Labels["kubernetes.io/metadata.name"], "educates") { + continue + } + events, err := client.CoreV1().Events(namespace.Name).List(context.TODO(), metav1.ListOptions{ + // LabelSelector: "training.educates.dev/component", + }) + for _, object := range events.Items { + object.SetManagedFields(nil) // Remove managedFields from the object + // We need to add the GroupVersionKind to the object, as it is not set by default. See: https://github.com/kubernetes-sigs/controller-runtime/issues/1517 + object.GetObjectKind().SetGroupVersionKind(schema.GroupVersionKind{Group: "events.k8s.io", Version: "v1", Kind: "Event"}) + if err := y.PrintObj(&object, newFile); err != nil { + return err + } + } + if err != nil { + return err + } + } + if c.verbose { + fmt.Printf("Educates namespaces events saved in file: %v\n", fileName) + } + + return nil +} + +func (c *ClusterDiagnosticsFetcher) fetchDynamicallyResources(res schema.GroupVersionResource, fileName string) error { + dynamicClient, err := c.clusterConfig.GetDynamicClient() + if err != nil { + return err + } + dynClient := dynamicClient.Resource(res) + + objectList, err := dynClient.List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return err + } + + newFile, err := os.Create(filepath.Join(c.tempDir, fileName)) + if err != nil { + return err + } + defer newFile.Close() + + y := printers.YAMLPrinter{} + for _, object := range objectList.Items { + object.SetManagedFields(nil) // Remove managedFields from the object + if err := y.PrintObj(&object, newFile); err != nil { + return err + } + } + + if c.verbose { + fmt.Printf("Educates %v saved in file: %v\n", res.Resource, fileName) + } + + return nil +} + +func (c *ClusterDiagnosticsFetcher) fetchLogsForDeployment(labelSelector, namespaceSelector, fileNamePattern string) error { + client, err := c.clusterConfig.GetClient() + if err != nil { + return err + } + // Create an array of strings to store the namespaces + var namespacesList []string + if strings.Contains(namespaceSelector, "=") { + namespaces, err := client.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{ + LabelSelector: namespaceSelector, + }) + if err != nil { + return err + } + for _, namespace := range namespaces.Items { + namespacesList = append(namespacesList, namespace.Name) + } + } else { + namespacesList = strings.Split(namespaceSelector, ",") + } + + for _, namespaceName := range namespacesList { + pods, err := client.CoreV1().Pods(namespaceName).List(context.TODO(), metav1.ListOptions{ + LabelSelector: labelSelector, + }) + if err != nil { + return err + } + + if strings.Contains(fileNamePattern, "%v") { + fileNamePattern = fmt.Sprintf(fileNamePattern, namespaceName) + } + + logFile, err := os.Create(filepath.Join(c.tempDir, fileNamePattern)) + if err != nil { + return err + } + defer logFile.Close() + + for _, pod := range pods.Items { + req := client.CoreV1().Pods(pod.Namespace).GetLogs(pod.Name, &v1.PodLogOptions{}) + podLogs, err := req.Stream(context.TODO()) + if err != nil { + return err + } + defer podLogs.Close() + + _, err = io.Copy(logFile, podLogs) + if err != nil { + return err + } + + if c.verbose { + fmt.Printf("Educates related logs saved in file: %v\n", fileNamePattern) + } + } + } + + return nil +} + +func (c *ClusterDiagnosticsFetcher) fetchTrainingPortalDetailsAtRest(fileNamePattern string) error { + dynamicClient, err := c.clusterConfig.GetDynamicClient() + if err != nil { + return err + } + dynClient := dynamicClient.Resource(trainingportalResource) + trainingPortals, err := dynClient.List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return err + } + // Iterate over the training portals and get the details of the workshop sessions + for _, trainingPortal := range trainingPortals.Items { + trainingPortalName, _, _ := unstructured.NestedString(trainingPortal.Object, "metadata", "name") + + catalogApiRequester := educatesrestapi.NewWorkshopsCatalogRequester( + c.clusterConfig, + trainingPortalName, + ) + logout, err := catalogApiRequester.Login() + defer logout() + if err != nil { + return errors.Wrap(err, "failed to login to training portal") + } + + // Get the list of workshops so we can know which workshop environment + // we need to request a workshop from. + listEnvironmentsResult, err := catalogApiRequester.GetWorkshopsCatalog() + if err != nil { + return errors.Wrap(err, "failed to get workshops catalog") + } + + if strings.Contains(fileNamePattern, "%v") { + fileNamePattern = fmt.Sprintf(fileNamePattern, trainingPortalName) + } + newFile, err := os.Create(filepath.Join(c.tempDir, fileNamePattern)) + if err != nil { + return err + } + defer newFile.Close() + + // Pretty print in json format listEnvironmentsResult + prettyListEnvironmentsResult, err := json.MarshalIndent(listEnvironmentsResult, "", " ") + if err != nil { + return err + } + // print into newFile + _, err = newFile.Write(prettyListEnvironmentsResult) + if err != nil { + return err + } + + if c.verbose { + fmt.Printf("Educates trainingportal details at rest saved in file: %v\n", fileNamePattern) + } + + } + return nil +} diff --git a/client-programs/pkg/educatesrestapi/catalog.go b/client-programs/pkg/educatesrestapi/catalog.go new file mode 100644 index 000000000..3686649e3 --- /dev/null +++ b/client-programs/pkg/educatesrestapi/catalog.go @@ -0,0 +1,428 @@ +package educatesrestapi + +import ( + "bytes" + "context" + "encoding/base64" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "strings" + "time" + + "github.com/pkg/errors" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +type AuthDetails struct { + AccessToken string `json:"access_token"` + ExpiresIn int `json:"expires_in"` + TokenType string `json:"token_type"` + Scope string `json:"scope"` + RefreshToken string `json:"refresh_token"` +} + +type WorkshopsCatalogRequesterApi interface { + GetWorkshopsCatalog() (*WorkshopsCatalogResponse, error) + Login() (func(), error) + // Logout() error +} + +type WorkshopsCatalogRequester struct { + clusterConfig *cluster.ClusterConfig + portalName string + PortalUrl string + Auth *AuthDetails +} + +var _ WorkshopsCatalogRequesterApi = &WorkshopsCatalogRequester{} + +func NewWorkshopsCatalogRequester(clusterConfig *cluster.ClusterConfig, portalName string) *WorkshopsCatalogRequester { + return &WorkshopsCatalogRequester{ + clusterConfig: clusterConfig, + portalName: portalName, + } +} + +func (c *WorkshopsCatalogRequester) GetWorkshopsCatalog() (*WorkshopsCatalogResponse, error) { + body := []byte("{}") + + requestURL := fmt.Sprintf("%s/workshops/catalog/environments", c.PortalUrl) + + req, err := http.NewRequest("GET", requestURL, bytes.NewBuffer(body)) + + if err != nil { + return nil, errors.Wrap(err, "malformed request for training portal") + } + + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + res, err := http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.Wrap(err, "failed to request catalog from training portal") + } + + defer res.Body.Close() + + if res.StatusCode != http.StatusOK { + bodyBytes, err := io.ReadAll(res.Body) + + if err != nil { + return nil, errors.Wrap(err, "failed to read response body from training portal") + } + + bodyString := string(bodyBytes) + + return nil, errors.Errorf("request for catalog from training portal failed with error (%d, %s)", res.StatusCode, bodyString) + } + + workshopsCatalogResult := &WorkshopsCatalogResponse{} + err = json.NewDecoder(res.Body).Decode(workshopsCatalogResult) + if err != nil { + return nil, errors.Wrap(err, "failed to decode response from training portal") + } + + return workshopsCatalogResult, nil +} + +func (c *WorkshopsCatalogRequester) ExtendWorkshopSession(sessionName string) (*WorkshopSessionDetails, error) { + req, err := http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/extend/", c.PortalUrl, sessionName), nil) + + if err != nil { + return nil, errors.Wrapf(err, "malformed request for training portal") + } + + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + res, err := http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.Wrapf(err, "cannot connect to training portal") + } + + if res.StatusCode == 400 || res.StatusCode == 404 { + return nil, errors.New("No session found.") + } + + if res.StatusCode != 200 { + return nil, errors.New("cannot execute session extension against training portal") + } + + resBody, err := io.ReadAll(res.Body) + + if err != nil { + return nil, errors.Wrapf(err, "cannot read response to extend request") + } + + var details *WorkshopSessionDetails + + err = json.Unmarshal(resBody, &details) + + if err != nil { + return nil, errors.Wrapf(err, "cannot decode session details") + } + + return details, nil +} + +func (c *WorkshopsCatalogRequester) GetWorkshopSession(sessionName string) (*WorkshopSessionDetails, error) { + req, err := http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/schedule/", c.PortalUrl, sessionName), nil) + + if err != nil { + return nil, errors.Wrapf(err, "malformed request for training portal") + } + + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + res, err := http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.Wrapf(err, "cannot connect to training portal") + } + + if res.StatusCode == 400 || res.StatusCode == 404 { + return nil, errors.New("No session found.") + } + + if res.StatusCode != 200 { + return nil, errors.New("cannot get session status from training portal") + } + + resBody, err := io.ReadAll(res.Body) + + if err != nil { + return nil, errors.Wrapf(err, "cannot read response to status request") + } + + var details *WorkshopSessionDetails + + err = json.Unmarshal(resBody, &details) + + if err != nil { + return nil, errors.Wrapf(err, "cannot decode session details") + } + + return details, nil +} + +func (c *WorkshopsCatalogRequester) TerminateWorkshopSession(sessionName string) (*WorkshopSessionDetails, error) { + req, err := http.NewRequest("GET", fmt.Sprintf("%s/workshops/session/%s/terminate/", c.PortalUrl, sessionName), nil) + + if err != nil { + return nil, errors.Wrapf(err, "malformed request for training portal") + } + + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + res, err := http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.Wrapf(err, "cannot connect to training portal") + } + + if res.StatusCode == 400 || res.StatusCode == 404 { + return nil, errors.New("No session found.") + } + + if res.StatusCode != 200 { + return nil, errors.New("cannot execute session terminate against training portal") + } + + resBody, err := io.ReadAll(res.Body) + + if err != nil { + return nil, errors.Wrapf(err, "cannot read response to termination request") + } + + var details *WorkshopSessionDetails + + err = json.Unmarshal(resBody, &details) + + if err != nil { + return nil, errors.Wrapf(err, "cannot decode session details") + } + + return details, nil +} + +func (c *WorkshopsCatalogRequester) RequestWorkshop(workshopName string, environmentName string, params map[string]string, indexUrl string, user string, timeout int) (*RequestWorkshopResponse, error) { + + inputData := RequestWorkshopRequest{ + Parameters: []Parameter{}, + } + + for name, value := range params { + inputData.Parameters = append(inputData.Parameters, Parameter{name, value}) + } + + body, err := json.Marshal(inputData) + + if err != nil { + return nil, errors.Wrapf(err, "cannot marshal request parameters") + } + + if indexUrl == "" { + indexUrl = fmt.Sprintf("%s/accounts/logout/", c.PortalUrl) + } + + queryString := url.Values{} + queryString.Add("index_url", indexUrl) + queryString.Add("timeout", fmt.Sprintf("%d", timeout)) + + if user != "" { + queryString.Add("user", user) + } + + fmt.Printf("Requesting workshop %q from training portal %q.\n", workshopName, c.portalName) + + requestURL := fmt.Sprintf("%s/workshops/environment/%s/request/?%s", c.PortalUrl, environmentName, queryString.Encode()) + + req, err := http.NewRequest("POST", requestURL, bytes.NewBuffer(body)) + + if err != nil { + return nil, errors.Wrap(err, "malformed request for training portal") + } + + req.Header.Add("Content-Type", "application/json") + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + res, err := http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.Wrap(err, "failed to request workshop from training portal") + } + + defer res.Body.Close() + + if res.StatusCode != http.StatusOK { + bodyBytes, err := io.ReadAll(res.Body) + + if err != nil { + return nil, errors.Wrap(err, "failed to read response body from training portal") + } + + bodyString := string(bodyBytes) + + return nil, errors.Errorf("request for workshop from training portal failed with error (%d, %s)", res.StatusCode, bodyString) + } + + requestWorkshopResult := &RequestWorkshopResponse{} + + err = json.NewDecoder(res.Body).Decode(requestWorkshopResult) + + if err != nil { + return nil, errors.Wrap(err, "failed to decode response from training portal") + } + + return requestWorkshopResult, nil +} + +func (c *WorkshopsCatalogRequester) Login() (func(), error) { + var err error + clientId := "" + clientSecret := "" + + // We commented this out because cluster availability is checked on the caller cmd when cluster is needed + // if err := cluster.IsClusterAvailable(c.clusterConfig); err != nil { + // return err + // } + + dynamicClient, err := c.clusterConfig.GetDynamicClient() + + if err != nil { + return nil, errors.Wrapf(err, "unable to create Kubernetes client") + } + + trainingPortalClient := dynamicClient.Resource(schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "trainingportals"}) + + var trainingPortal *unstructured.Unstructured + var executions = 0 + for { + trainingPortal, err = trainingPortalClient.Get(context.TODO(), c.portalName, metav1.GetOptions{}) + + if k8serrors.IsNotFound(err) { + return nil, errors.New("No session found.") + } + + _, found, _ := unstructured.NestedMap(trainingPortal.Object, "status") + + if found { + break + } + if executions > 3 { + return nil, errors.New("Training portal does not yet have a status for credentials") + } + time.Sleep(1 * time.Second) + executions++ + } + + c.PortalUrl, _, _ = unstructured.NestedString(trainingPortal.Object, "status", "educates", "url") + + clientId, _, _ = unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "id") + clientSecret, _, _ = unstructured.NestedString(trainingPortal.Object, "status", "educates", "clients", "robot", "secret") + + username, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "username") + password, _, _ := unstructured.NestedString(trainingPortal.Object, "status", "educates", "credentials", "robot", "password") + + if c.PortalUrl == "" { + return nil, errors.New("invalid URL endpoint in training portal") + } + + if username == "" || password == "" { + return nil, errors.New("invalid credentials in training portal") + } + + form := url.Values{} + + form.Add("grant_type", "password") + form.Add("username", username) + form.Add("password", password) + + // We try to login 5 times in case of errors (since this operation might have happen too fast + // with relation to the creation of the trainingportal) adding an exponential delay between each try + var resBody []byte + for executions := 0; executions < 6; executions++ { + resBody, err = requestToken(c.PortalUrl, clientId, clientSecret, form) + if err != nil { + time.Sleep(time.Duration(2*executions) * time.Second) + continue + } + if resBody != nil { + break + } + } + if err != nil { + return nil, err + } + + err = json.Unmarshal(resBody, &c.Auth) + + if err != nil { + return nil, errors.Wrapf(err, "cannot decode auth details") + } + + cleanupFunc := func() { + if c.PortalUrl == "" || c.Auth.AccessToken == "" { + return + } + form = url.Values{} + + form.Add("token", c.Auth.AccessToken) + form.Add("client_id", clientId) + form.Add("client_secret", clientSecret) + + req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/revoke-token/", c.PortalUrl), strings.NewReader(form.Encode())) + + if err == nil { + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.Auth.AccessToken)) + + _, _ = http.DefaultClient.Do(req) + } + } + + return cleanupFunc, nil +} + +func requestToken(portalUrl string, clientId string, clientSecret string, form url.Values) ([]byte, error) { + req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth2/token/", portalUrl), strings.NewReader(form.Encode())) + + if err != nil { + return nil, errors.Wrapf(err, "malformed request for training portal") + } + + credentials := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))) + + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("Authorization", fmt.Sprintf("Basic %s", credentials)) + + var res *http.Response + + res, err = http.DefaultClient.Do(req) + + if err != nil { + return nil, errors.New("cannot connect to training portal") + } + if res.StatusCode == 503 { + return nil, errors.New("cannot login to training portal. Portal not ready yet") + } + if res.StatusCode != 200 { + return nil, errors.New("cannot login to training portal") + } + + resBody, err := io.ReadAll(res.Body) + res.Body.Close() + + if err != nil { + return nil, errors.Wrapf(err, "cannot read response to token request") + } + + return resBody, nil +} diff --git a/client-programs/pkg/educatesrestapi/types.go b/client-programs/pkg/educatesrestapi/types.go new file mode 100644 index 000000000..1f7fb4cac --- /dev/null +++ b/client-programs/pkg/educatesrestapi/types.go @@ -0,0 +1,82 @@ +package educatesrestapi + +// WorkshopCatalog +// -------------------------------------------- + +type WorkshopsCatalogResponse struct { + Portal PortalDetails `json:"portal"` + Environments []EnvironmentDetails `json:"environments"` +} + +type PortalDetails struct { + Name string `json:"name"` + // Labels []string `json:"labels"` + UID string `json:"uid"` + Generation int64 `json:"generation"` + URL string `json:"url"` + Sessions SessionDetails `json:"sessions"` +} + +type SessionDetails struct { + Maximum int64 `json:"maximum"` + Registered int64 `json:"registered"` + Anonymous int64 `json:"anonymous"` + Allocated int64 `json:"allocated"` +} + +type WorkshopDetails struct { + Name string `json:"name"` + Title string `json:"title"` + Description string `json:"description"` + Vendor string `json:"vendor"` + Authors []string `json:"authors"` + Difficulty string `json:"difficulty"` + Duration string `json:"duration"` + Tags []string `json:"tags"` + // Labels []string `json:"labels"` + Logo string `json:"logo"` + URL string `json:"url"` +} + +type EnvironmentDetails struct { + Name string `json:"name"` + State string `json:"state"` + Duration int64 `json:"duration"` + Capacity int64 `json:"capacity"` + Reserved int64 `json:"reserved"` + Allocated int64 `json:"allocated"` + Available int64 `json:"available"` + Workshop WorkshopDetails `json:"workshop"` +} + +// RequestWorkshop +// -------------------------------------------- +type RequestWorkshopRequest struct { + Parameters []Parameter `json:"parameters"` +} + +type Parameter struct { + Name string `json:"name"` + Value string `json:"value"` +} + +type RequestWorkshopResponse struct { + Name string `json:"name"` + User string `json:"user"` + URL string `json:"url"` + Workshop string `json:"workshop"` + Environment string `json:"environment"` + Namespace string `json:"namespace"` +} + +// WorkshopSessionDetails +// -------------------------------------------- + +type WorkshopSessionDetails struct { + Started string `json:"started"` + Expires string `json:"expires"` + Expiring bool `json:"expiring"` + Countdown int `json:"countdown"` + Extendable bool `json:"extendable"` + Status string `json:"status"` +} diff --git a/client-programs/pkg/installer/installer.go b/client-programs/pkg/installer/installer.go new file mode 100644 index 000000000..3bd795883 --- /dev/null +++ b/client-programs/pkg/installer/installer.go @@ -0,0 +1,455 @@ +package installer + +import ( + "context" + "fmt" + "os" + "path/filepath" + "time" + + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/logger" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" + + "github.com/cppforlife/go-cli-ui/ui" + "github.com/pkg/errors" + + "carvel.dev/imgpkg/pkg/imgpkg/cmd" + "carvel.dev/imgpkg/pkg/imgpkg/registry" + imgpkgv1 "carvel.dev/imgpkg/pkg/imgpkg/v1" + + "carvel.dev/kapp/pkg/kapp/cmd/app" + + cmdtpl "carvel.dev/ytt/pkg/cmd/template" + yttUI "carvel.dev/ytt/pkg/cmd/ui" + "carvel.dev/ytt/pkg/files" + + kbldcmd "carvel.dev/kbld/pkg/kbld/cmd" + kbldlog "carvel.dev/kbld/pkg/kbld/logger" + + "gopkg.in/yaml.v2" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const EducatesInstallerString = "educates-installer" +const EducatesInstallerAppString = "label:installer=educates-installer.app" +const educatesConfigNamespace = "educates" +const educatesConfigConfigMapName = "educates-config" + +// We use a NullWriter to suppress the output of some commands, like kbld +type NullWriter int + +func (NullWriter) Write([]byte) (int, error) { return 0, nil } + +type Installer struct { +} + +func NewInstaller() *Installer { + return &Installer{} +} + +func (inst *Installer) DryRun(version string, packageRepository string, fullConfig *config.InstallationConfig, verbose bool, showPackagesValues bool, skipImageResolution bool) error { + if verbose { + fmt.Println("Installing educates (DryRun) ...") + } + + // Create a temporary directory + tempDir, err := os.MkdirTemp("", EducatesInstallerString) + if err != nil { + return err + } + // if verbose { + // fmt.Println("Temp dir: ", tempDir) + // } + + defer os.RemoveAll(tempDir) // clean up + + // Hack for local development. When version=latest, we use: + // - localhost:5001 as the package repository + // - 0.0.1 as the version + // - skipImageResolution=true + if version == "latest" { + packageRepository = "localhost:5001" + version = "0.0.1" + skipImageResolution = true + } + + // Fetch + prevDir, err := inst.fetch(tempDir, version, packageRepository, verbose) + if err != nil { + return err + } + + // Template + prevDir, err = inst.template(tempDir, prevDir, fullConfig, verbose, showPackagesValues, skipImageResolution) + if err != nil { + return err + } + + // kbld + if !skipImageResolution { + prevDir, err = inst.resolve(tempDir, prevDir, verbose) + if err != nil { + return err + } + } + + err = utils.PrintYamlFilesInDir(prevDir, []string{}) + if err != nil { + return err + } + + return nil +} + +func (inst *Installer) Run(version string, packageRepository string, fullConfig *config.InstallationConfig, clusterConfig *cluster.ClusterConfig, verbose bool, showPackagesValues bool, skipImageResolution bool, showDiff bool) error { + if verbose { + fmt.Println("Installing educates ...") + } + + // Create a temporary directory + tempDir, err := os.MkdirTemp("", EducatesInstallerString) + if err != nil { + return err + } + // if verbose { + // fmt.Println("Temp dir: ", tempDir) + // } + + defer os.RemoveAll(tempDir) // clean up + + // Hack for local development. When version=latest, we use: + // - localhost:5001 as the package repository + // - 0.0.1 as the version + // - skipImageResolution=true + if version == "latest" { + packageRepository = "localhost:5001" + version = "0.0.1" + skipImageResolution = true + } + + // Fetch + prevDir, err := inst.fetch(tempDir, version, packageRepository, verbose) + if err != nil { + return err + } + + // Template + prevDir, err = inst.template(tempDir, prevDir, fullConfig, verbose, showPackagesValues, skipImageResolution) + if err != nil { + return err + } + + // kbld for image resolution + if !skipImageResolution { + prevDir, err = inst.resolve(tempDir, prevDir, verbose) + if err != nil { + return err + } + } + + // Deploy + err = inst.deploy(tempDir, prevDir, clusterConfig, verbose, showDiff) + if err != nil { + return err + } + + return nil +} + +func (inst *Installer) Delete(fullConfig *config.InstallationConfig, clusterConfig *cluster.ClusterConfig, verbose bool) error { + fmt.Println("Deleting educates ...") + + if err := inst.delete(clusterConfig); err != nil { + return err + } + + return nil +} + +func (inst *Installer) GetValuesFromCluster(kubeconfig string, kubeContext string) (string, error) { + clusterConfig := cluster.NewClusterConfig(kubeconfig, kubeContext) + + client, err := clusterConfig.GetClient() + + if err != nil { + return "", errors.Wrapf(err, "unable to create Kubernetes client") + } + + configMapClient := client.CoreV1().ConfigMaps(educatesConfigNamespace) + + values, err := configMapClient.Get(context.TODO(), educatesConfigConfigMapName, metav1.GetOptions{}) + + if err != nil { + return "", errors.Wrap(err, "error querying the cluster") + } + + valuesData, ok := values.Data["values.yaml"] + + if !ok { + return "", errors.New("no platform configuration found") + } + + return string(valuesData), nil +} + +func (inst *Installer) GetConfigFromCluster(kubeconfig string, kubeContext string) (string, error) { + clusterConfig := cluster.NewClusterConfig(kubeconfig, kubeContext) + + client, err := clusterConfig.GetClient() + + if err != nil { + return "", errors.Wrapf(err, "unable to create Kubernetes client") + } + + configMapClient := client.CoreV1().ConfigMaps(educatesConfigNamespace) + + values, err := configMapClient.Get(context.TODO(), educatesConfigConfigMapName, metav1.GetOptions{}) + + if err != nil { + return "", errors.Wrap(err, "error querying the cluster") + } + + valuesData, ok := values.Data["config.yaml"] + + if !ok { + return "", errors.New("no platform configuration found") + } + + return string(valuesData), nil +} + +func (inst *Installer) fetch(tempDir string, version string, packageRepository string, verbose bool) (string, error) { + if verbose { + fmt.Println("Running fetch ...") + } + + pullOpts := imgpkgv1.PullOpts{ + Logger: logger.NewNullLogger(), + AsImage: false, + IsBundle: true, + } + // TODO: Remove some logging from here + fetchOutputDir := filepath.Join(tempDir, "fetch") + _, err := imgpkgv1.Pull(inst.getBundleImageRef(version, packageRepository, verbose), fetchOutputDir, pullOpts, registry.Opts{}) + if err != nil { + // TODO: There might be more potential issues here + return "", errors.Wrapf(err, "Installer image not found") + } + return fetchOutputDir, nil +} + +func (inst *Installer) template(tempDir string, inputDir string, fullConfig *config.InstallationConfig, verbose bool, showPackagesValues bool, skipImageResolution bool) (string, error) { + if verbose { + fmt.Println("Running template ...") + } + + paths := []string{filepath.Join(inputDir, "config/ytt/")} + if !showPackagesValues && !skipImageResolution { + paths = append(paths, filepath.Join(inputDir, "kbld/kbld-bundle.yaml")) + } + filesToProcess, err := files.NewSortedFilesFromPaths(paths, files.SymlinkAllowOpts{}) + if err != nil { + return "", err + } + + // Use ytt to generate the yaml for the cluster packages + opts := cmdtpl.NewOptions() + + // Debug in ytt schema config is used to output the processed values + if showPackagesValues { + fullConfig.Debug = utils.BoolPointer(true) + } + + yamlBytes, err := yaml.Marshal(fullConfig) + if err != nil { + return "", err + } + + kbldFiles := []*files.File{} + // TODO: Revisit when this needs to be used + if !skipImageResolution { + kbldFiles, err = files.NewSortedFilesFromPaths([]string{filepath.Join(inputDir, "kbld/kbld-images.yaml")}, files.SymlinkAllowOpts{}) + if err != nil { + return "", err + } + } + + opts.DataValuesFlags = cmdtpl.DataValuesFlags{ + FromFiles: []string{"values", "images"}, + ReadFilesFunc: func(path string) ([]*files.File, error) { + switch path { + case "values": + return []*files.File{ + files.MustNewFileFromSource(files.NewBytesSource("values/values.yaml", yamlBytes)), + }, nil + case "images": + return kbldFiles, nil + default: + return nil, fmt.Errorf("unknown file '%s'", path) + } + }, + } + + out := opts.RunWithFiles(cmdtpl.Input{Files: filesToProcess}, yttUI.NewTTY(false)) + + // When we get errors in ytt processing, e.g. because of schema validation, out.Err is not nil + if out.Err != nil { + fmt.Println(out.Err) + } + if out.DocSet == nil { + return "", errors.New("error processing files") + } + + // Create a new subdirectory in tempDir + templateOutputDir := filepath.Join(tempDir, "template") + err = os.Mkdir(templateOutputDir, 0755) + if err != nil { + fmt.Printf("Failed to create subdirectory: %v\n", err) + return "", err + } + + // We write the processed output to files + err = utils.WriteYamlDocSetItemsToDir(out.DocSet, templateOutputDir) + if err != nil { + return "", err + } + return templateOutputDir, nil +} + +func (inst *Installer) resolve(tempDir string, inputDir string, verbose bool) (string, error) { + if verbose { + fmt.Println("Running resolve images ...") + } + + kbldOutputDir := filepath.Join(tempDir, "kbld") + err := os.Mkdir(kbldOutputDir, 0755) + if err != nil { + return "", err + } + + // ui + confUI := ui.NewConfUI(ui.NewNoopLogger()) + uiFlags := cmd.UIFlags{ + Color: true, + JSON: false, + NonInteractive: true, + } + uiFlags.ConfigureUI(confUI) + defer confUI.Flush() + + resolveOptions := kbldcmd.NewResolveOptions(confUI) + resolveOptions.FileFlags.Files = []string{inputDir} + // Apply defaults from CLI + resolveOptions.ImagesAnnotation = false + resolveOptions.OriginsAnnotation = false + resolveOptions.UnresolvedInspect = false + resolveOptions.AllowedToBuild = false + resolveOptions.BuildConcurrency = 5 + var logger kbldlog.Logger + if verbose { + logger = kbldlog.NewLogger(os.Stderr) + } else { + logger = kbldlog.NewLogger(NullWriter(0)) + } + prefixedLogger := logger.NewPrefixedWriter("resolve | ") + resBss, err := resolveOptions.ResolveResources(&logger, prefixedLogger) + if err != nil { + return "", err + } + if verbose { + fmt.Println("All images have been resolved images") + } + + err = utils.WriteYamlByteArrayItemsToDir(resBss, kbldOutputDir) + if err != nil { + return "", err + } + return kbldOutputDir, nil +} + +func (inst *Installer) deploy(tempDir string, inputDir string, clusterConfig *cluster.ClusterConfig, verbose bool, showDiff bool) error { + if verbose { + fmt.Println("Running deploy ...") + } + + confUI := ui.NewConfUI(ui.NewNoopLogger()) + uiFlags := cmd.UIFlags{ + Color: true, + JSON: false, + NonInteractive: true, + } + uiFlags.ConfigureUI(confUI) + defer confUI.Flush() + + depsFactory := NewKappDepsFactoryImpl(clusterConfig) + deployOptions := app.NewDeployOptions(confUI, depsFactory, logger.NewKappLogger(), nil) + deployOptions.AppFlags.Name = EducatesInstallerAppString + deployOptions.AppFlags.AppNamespace = EducatesInstallerString + deployOptions.FileFlags.Files = []string{inputDir, filepath.Join(tempDir, "fetch/config/kapp/")} + deployOptions.ApplyFlags.ClusterChangeOpts.Wait = true + deployOptions.ApplyFlags.ClusterChangeOpts.ApplyIgnored = false + deployOptions.ApplyFlags.ClusterChangeOpts.WaitIgnored = false + + deployOptions.ApplyFlags.ApplyingChangesOpts.Concurrency = 5 + + deployOptions.ApplyFlags.WaitingChangesOpts.CheckInterval = time.Duration(1) * time.Second + deployOptions.ApplyFlags.WaitingChangesOpts.Timeout = time.Duration(15) * time.Minute + deployOptions.ApplyFlags.WaitingChangesOpts.Concurrency = 5 + + deployOptions.DeployFlags.ExistingNonLabeledResourcesCheck = false + deployOptions.DeployFlags.ExistingNonLabeledResourcesCheckConcurrency = 100 + deployOptions.DeployFlags.AppChangesMaxToKeep = 5 + + deployOptions.DiffFlags.AgainstLastApplied = true + if showDiff { + deployOptions.DiffFlags.Changes = true + } + + err := deployOptions.Run() + if err != nil { + return err + } + return nil +} + +func (inst *Installer) delete(clusterConfig *cluster.ClusterConfig) error { + fmt.Println("Running delete ...") + + confUI := ui.NewConfUI(ui.NewNoopLogger()) + + uiFlags := cmd.UIFlags{ + Color: true, + JSON: false, + NonInteractive: true, + } + + uiFlags.ConfigureUI(confUI) + + defer confUI.Flush() + + depsFactory := NewKappDepsFactoryImpl(clusterConfig) + deleteOptions := app.NewDeleteOptions(confUI, depsFactory, logger.NewKappLogger()) + deleteOptions.AppFlags.Name = EducatesInstallerAppString + deleteOptions.AppFlags.AppNamespace = EducatesInstallerString + deleteOptions.ApplyFlags.ClusterChangeOpts.Wait = true + deleteOptions.ApplyFlags.ApplyingChangesOpts.Concurrency = 5 + deleteOptions.ApplyFlags.WaitingChangesOpts.CheckInterval = time.Duration(1) * time.Second + deleteOptions.ApplyFlags.WaitingChangesOpts.Timeout = time.Duration(15) * time.Minute + deleteOptions.ApplyFlags.WaitingChangesOpts.Concurrency = 5 + + err := deleteOptions.Run() + if err != nil { + return err + } + return nil +} + +func (inst *Installer) getBundleImageRef(version string, packageRepository string, verbose bool) string { + bundleImageRef := fmt.Sprintf("%s/%s:%s", packageRepository, EducatesInstallerString, version) + if verbose { + fmt.Printf("Using installer image: %s\n", bundleImageRef) + } + return bundleImageRef +} diff --git a/client-programs/pkg/installer/kappDepsFactory.go b/client-programs/pkg/installer/kappDepsFactory.go new file mode 100644 index 000000000..be40b0cab --- /dev/null +++ b/client-programs/pkg/installer/kappDepsFactory.go @@ -0,0 +1,39 @@ +package installer + +import ( + core "carvel.dev/kapp/pkg/kapp/cmd/core" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/kubernetes" +) + +type KappDepsFactoryImpl struct { + clusterConfig *cluster.ClusterConfig +} + +var _ core.DepsFactory = &KappDepsFactoryImpl{} + +func NewKappDepsFactoryImpl(clusterConfig *cluster.ClusterConfig) *KappDepsFactoryImpl { + return &KappDepsFactoryImpl{clusterConfig: clusterConfig} +} + +// ConfigureWarnings implements core.DepsFactory. +func (k *KappDepsFactoryImpl) ConfigureWarnings(warnings bool) { + // no-op +} + +// CoreClient implements core.DepsFactory. +func (k *KappDepsFactoryImpl) CoreClient() (kubernetes.Interface, error) { + return k.clusterConfig.GetClient() +} + +// DynamicClient implements core.DepsFactory. +func (k *KappDepsFactoryImpl) DynamicClient(opts core.DynamicClientOpts) (dynamic.Interface, error) { + return k.clusterConfig.GetDynamicClient() +} + +func (k *KappDepsFactoryImpl) RESTMapper() (meta.RESTMapper, error) { + // TODO: Implement this method + return nil, nil +} diff --git a/client-programs/pkg/logger/KappLogger.go b/client-programs/pkg/logger/KappLogger.go new file mode 100644 index 000000000..3fbf993f8 --- /dev/null +++ b/client-programs/pkg/logger/KappLogger.go @@ -0,0 +1,72 @@ +package logger + +import ( + "fmt" + "time" + + "carvel.dev/kapp/pkg/kapp/logger" +) + +const ( + loggerLevelError = "error" + loggerLevelInfo = "info" + loggerLevelDebug = "debug" +) + +type KappLogger struct { + prefix string + debug bool +} + +var _ logger.Logger = &KappLogger{} + +func NewKappLogger() *KappLogger { return &KappLogger{"", false} } + +// Debug implements logger.Logger. +func (k *KappLogger) Debug(msg string, args ...interface{}) { + if k.debug { + k.msg(loggerLevelDebug, msg) + } +} + +// DebugFunc implements logger.Logger. +func (k *KappLogger) DebugFunc(name string) logger.FuncLogger { + funcLogger := &KappFuncLogger{name, time.Now(), k.NewPrefixed(name)} + funcLogger.Start() + return funcLogger +} + +// Error implements logger.Logger. +func (k *KappLogger) Error(msg string, args ...interface{}) { + k.msg(loggerLevelError, msg) +} + +// Info implements logger.Logger. +func (k *KappLogger) Info(msg string, args ...interface{}) { + k.msg(loggerLevelInfo, msg) +} + +// NewPrefixed implements logger.Logger. +func (k *KappLogger) NewPrefixed(name string) logger.Logger { + if len(k.prefix) > 0 { + name = k.prefix + name + } + name += ": " + return &KappLogger{name, k.debug} +} + +func (k *KappLogger) msg(level, msg string) string { + ts := time.Now().Format("03:04:05PM") + return fmt.Sprintf("%s: %s: %s%s\n", ts, level, k.prefix, msg) +} + +type KappFuncLogger struct { + name string + startTime time.Time + logger logger.Logger +} + +var _ logger.FuncLogger = &KappFuncLogger{} + +func (l *KappFuncLogger) Start() { l.logger.Debug("start") } +func (l *KappFuncLogger) Finish() { l.logger.Debug("end (%s)", time.Since(l.startTime)) } diff --git a/client-programs/pkg/logger/NullLogSink.go b/client-programs/pkg/logger/NullLogSink.go new file mode 100644 index 000000000..c9827f8b5 --- /dev/null +++ b/client-programs/pkg/logger/NullLogSink.go @@ -0,0 +1,39 @@ +package logger + +import ( + "github.com/go-logr/logr" +) + +// NullLogSink is a logr.Logger that does nothing. +type NullLogSink struct{} + +var _ logr.LogSink = NullLogSink{} + +// Init implements logr.LogSink. +func (log NullLogSink) Init(logr.RuntimeInfo) { +} + +// Info implements logr.InfoLogger. +func (NullLogSink) Info(_ int, _ string, _ ...interface{}) { + // Do nothing. +} + +// Enabled implements logr.InfoLogger. +func (NullLogSink) Enabled(level int) bool { + return false +} + +// Error implements logr.Logger. +func (NullLogSink) Error(_ error, _ string, _ ...interface{}) { + // Do nothing. +} + +// WithName implements logr.Logger. +func (log NullLogSink) WithName(_ string) logr.LogSink { + return log +} + +// WithValues implements logr.Logger. +func (log NullLogSink) WithValues(_ ...interface{}) logr.LogSink { + return log +} diff --git a/client-programs/pkg/logger/NullLogger.go b/client-programs/pkg/logger/NullLogger.go new file mode 100644 index 000000000..9f8613398 --- /dev/null +++ b/client-programs/pkg/logger/NullLogger.go @@ -0,0 +1,38 @@ +package logger + +import ( + imgpkgv1 "carvel.dev/imgpkg/pkg/imgpkg/v1" +) + +type NullLogger struct{} + +var _ imgpkgv1.Logger = &NullLogger{} + +func NewNullLogger() *NullLogger { + return &NullLogger{} +} + +/* From imgpkgv1.Logger */ +func (l *NullLogger) Debugf(format string, args ...interface{}) { + //fmt.Printf("[DEBUG] "+format+"\n", args...) +} + +/* From imgpkgv1.Logger */ +func (l *NullLogger) Tracef(format string, args ...interface{}) { + //fmt.Printf("[INFO] "+format+"\n", args...) +} + +/* From imgpkgv1.Logger */ +func (l *NullLogger) Warnf(format string, args ...interface{}) { + //fmt.Printf("[WARN] "+format+"\n", args...) +} + +/* From imgpkgv1.Logger */ +func (l *NullLogger) Errorf(format string, args ...interface{}) { + //fmt.Printf("[ERROR] "+format+"\n", args...) +} + +/* From imgpkgv1.Logger */ +func (l *NullLogger) Logf(format string, args ...interface{}) { + //fmt.Printf("[ERROR] "+format+"\n", args...) +} diff --git a/client-programs/pkg/operators/operators.go b/client-programs/pkg/operators/operators.go deleted file mode 100644 index fcda7aea7..000000000 --- a/client-programs/pkg/operators/operators.go +++ /dev/null @@ -1,308 +0,0 @@ -package operators - -import ( - "context" - "fmt" - "time" - - "github.com/pkg/errors" - "gopkg.in/yaml.v2" - apiv1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/apimachinery/pkg/watch" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" -) - -var kappAppResource = schema.GroupVersionResource{Group: "kappctrl.k14s.io", Version: "v1alpha1", Resource: "apps"} - -func DeployOperators(version string, packageRepository string, clusterConfig *cluster.ClusterConfig, platformConfig *config.TrainingPlatformConfig) error { - fmt.Println("Deploying platform operators ...") - - client, err := clusterConfig.GetClient() - - if err != nil { - return err - } - - platformConfigData, err := yaml.Marshal(platformConfig) - - if err != nil { - return errors.Wrap(err, "failed to generate operators config") - } - - namespacesClient := client.CoreV1().Namespaces() - - _, err = namespacesClient.Get(context.TODO(), "educates-package", metav1.GetOptions{}) - - if k8serrors.IsNotFound(err) { - namespaceObj := apiv1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-package", - }, - } - - namespacesClient.Create(context.TODO(), &namespaceObj, metav1.CreateOptions{}) - } - - secretsClient := client.CoreV1().Secrets("educates-package") - - secret := &apiv1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-training-platform-values", - }, - Data: map[string][]byte{ - "values.yml": platformConfigData, - }, - } - - _, err = secretsClient.Create(context.TODO(), secret, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create operators config secret") - } - - serviceAccountsClient := client.CoreV1().ServiceAccounts("educates-package") - - serviceAccount := &apiv1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-training-platform-deploy", - }, - } - - _, err = serviceAccountsClient.Create(context.TODO(), serviceAccount, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create operators service account") - } - - clusterRoleBindingClient := client.RbacV1().ClusterRoleBindings() - - clusterRoleBinding := &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-training-platform-deploy", - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "cluster-admin", - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: "educates-training-platform-deploy", - Namespace: "educates-package", - }, - }, - } - - _, err = clusterRoleBindingClient.Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create operators role binding") - } - - var bundleImageRef string - - if version == "latest" { - bundleImageRef = "registry.default.svc.cluster.local/educates-training-platform:0.0.1" - } else { - bundleImageRef = fmt.Sprintf("%s/educates-training-platform:%s", packageRepository, version) - } - - appResource := &unstructured.Unstructured{} - appResource.SetUnstructuredContent(map[string]interface{}{ - "apiVersion": "kappctrl.k14s.io/v1alpha1", - "kind": "App", - "metadata": map[string]interface{}{ - "name": "educates-training-platform", - "namespace": "educates-package", - "labels": map[string]string{ - "training.educates.dev/package": "training-platform", - }, - }, - "spec": map[string]interface{}{ - "serviceAccountName": "educates-training-platform-deploy", - "syncPeriod": "1h", - "fetch": []map[string]interface{}{ - { - "imgpkgBundle": map[string]interface{}{ - "image": bundleImageRef, - }, - }, - }, - "template": []map[string]interface{}{ - { - "ytt": map[string]interface{}{ - "paths": []string{ - "config", - "kbld-bundle.yaml", - }, - "valuesFrom": []map[string]interface{}{ - { - "path": "kbld-images.yaml", - }, - { - "secretRef": map[string]interface{}{ - "name": "educates-training-platform-values", - }, - }, - }, - }, - }, - { - "kbld": map[string]interface{}{ - "paths": []string{ - ".imgpkg/images.yml", - "-", - }, - }, - }, - }, - "deploy": []map[string]interface{}{ - { - "kapp": map[string]interface{}{ - "rawOptions": []string{ - "--app-changes-max-to-keep=5", - }, - }, - }, - }, - }, - }) - - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - _, err = appResourceClient.Create(context.TODO(), appResource, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create operators app resource") - } - - if err := wait.Poll(time.Duration(1)*time.Second, time.Duration(10)*time.Minute, func() (done bool, err error) { - resource, err := appResourceClient.Get(context.TODO(), "educates-training-platform", metav1.GetOptions{}) - - if err != nil { - return false, err - } - - observedGeneration, exists, err := unstructured.NestedInt64(resource.Object, "status", "observedGeneration") - - if err != nil || !exists || resource.GetGeneration() != observedGeneration { - return false, err - } - - conditions, exists, err := unstructured.NestedSlice(resource.Object, "status", "conditions") - - if !exists { - return false, err - } - - statusUsefulErrorMessage, _, _ := unstructured.NestedString(resource.Object, "status.usefulErrorMessage") - statusFriendlyDescription, _, _ := unstructured.NestedString(resource.Object, "status.friendlyDescription") - - for _, condition := range conditions { - conditionObject := condition.(map[string]interface{}) - - conditionType, _, _ := unstructured.NestedString(conditionObject, "type") - conditionStatus, _, _ := unstructured.NestedString(conditionObject, "status") - - switch { - case conditionType == "ReconcileSucceeded" && conditionStatus == string(apiv1.ConditionTrue): - return true, nil - case conditionType == "ReconcileFailed" && conditionStatus == string(apiv1.ConditionTrue): - return false, fmt.Errorf("%s. %s", statusUsefulErrorMessage, statusFriendlyDescription) - } - } - return false, nil - }); err != nil { - return fmt.Errorf("%s: Reconciling: educates-package/educates-training-platform", err) - } - - return nil -} - -func DeleteOperators(clusterConfig *cluster.ClusterConfig, platformConfig *config.TrainingPlatformConfig) error { - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - err = appResourceClient.Delete(context.TODO(), "educates-training-platform", metav1.DeleteOptions{}) - - if err == nil { - timeout := int64(300) - - watcher, err := appResourceClient.Watch(context.TODO(), metav1.ListOptions{ - LabelSelector: "training.educates.dev/package=training-platform", - TimeoutSeconds: &timeout, - }) - - if err != nil { - return err - } - - defer watcher.Stop() - - watch: - for { - select { - case event := <-watcher.ResultChan(): - if event.Type == watch.Deleted { - break watch - } - case <-context.TODO().Done(): - return errors.New("timeout waiting for operator deletion") - } - } - } else { - // return err - } - - client, err := clusterConfig.GetClient() - - if err != nil { - return err - } - - clusterRoleBindingClient := client.RbacV1().ClusterRoleBindings() - - err = clusterRoleBindingClient.Delete(context.TODO(), "educates-training-platform-deploy", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - serviceAccountsClient := client.CoreV1().ServiceAccounts("educates-package") - - err = serviceAccountsClient.Delete(context.TODO(), "educates-training-platform-deploy", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - secretsClient := client.CoreV1().Secrets("educates-package") - - err = secretsClient.Delete(context.TODO(), "educates-training-platform-values", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - return nil -} diff --git a/client-programs/pkg/registry/registry.go b/client-programs/pkg/registry/registry.go index aa06ec807..9249305a8 100644 --- a/client-programs/pkg/registry/registry.go +++ b/client-programs/pkg/registry/registry.go @@ -1,26 +1,35 @@ package registry import ( + "archive/tar" + "bytes" + "compress/gzip" "context" "fmt" "io" + "net" "os" + "path" + "strings" - "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" + "github.com/docker/docker/api/types/filters" + "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/network" "github.com/docker/docker/client" "github.com/docker/go-connections/nat" "github.com/pkg/errors" + yttyaml "gopkg.in/yaml.v2" apiv1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes" ) -func DeployRegistry() error { +func DeployRegistry(bindIP string) error { ctx := context.Background() fmt.Println("Deploying local image registry") @@ -42,7 +51,7 @@ func DeployRegistry() error { return nil } - reader, err := cli.ImagePull(ctx, "docker.io/library/registry:2", types.ImagePullOptions{}) + reader, err := cli.ImagePull(ctx, "docker.io/library/registry:2", image.PullOptions{}) if err != nil { return errors.Wrap(err, "cannot pull registry image") } @@ -50,12 +59,10 @@ func DeployRegistry() error { defer reader.Close() io.Copy(os.Stdout, reader) - _, err = cli.NetworkInspect(ctx, "educates", types.NetworkInspectOptions{}) + _, err = cli.NetworkInspect(ctx, "educates", network.InspectOptions{}) if err != nil { - _, err = cli.NetworkCreate(ctx, "educates", types.NetworkCreate{ - CheckDuplicate: true, - }) + _, err = cli.NetworkCreate(ctx, "educates", network.CreateOptions{}) if err != nil { return errors.Wrap(err, "cannot create educates network") @@ -66,7 +73,7 @@ func DeployRegistry() error { PortBindings: nat.PortMap{ "5000/tcp": []nat.PortBinding{ { - HostIP: "127.0.0.1", + HostIP: bindIP, HostPort: "5001", }, }, @@ -88,7 +95,7 @@ func DeployRegistry() error { return errors.Wrap(err, "cannot create registry container") } - if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil { + if err := cli.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil { return errors.Wrap(err, "unable to start registry") } @@ -103,6 +110,89 @@ func DeployRegistry() error { return nil } +func AddRegistryConfigToKindNodes(repositoryName string) error { + ctx := context.Background() + + fmt.Printf("Adding local image registry config (%s) to Kind nodes\n", repositoryName) + + cli, err := client.NewClientWithOpts(client.FromEnv) + + if err != nil { + return errors.Wrap(err, "unable to create docker client") + } + + containerID, _ := getContainerInfo("educates-control-plane") + + registryDir := "/etc/containerd/certs.d/" + repositoryName + + cmdStatement := []string{"mkdir", "-p", registryDir} + + optionsCreateExecuteScript := container.ExecOptions{ + AttachStdout: true, + AttachStderr: true, + Cmd: cmdStatement, + } + + response, err := cli.ContainerExecCreate(ctx, containerID, optionsCreateExecuteScript) + if err != nil { + return errors.Wrap(err, "unable to create exec command") + } + hijackedResponse, err := cli.ContainerExecAttach(ctx, response.ID, container.ExecAttachOptions{}) + if err != nil { + return errors.Wrap(err, "unable to attach exec command") + } + + hijackedResponse.Close() + + content := `[host."http://educates-registry:5000"]` + buffer, err := tarFile([]byte(content), path.Join("/etc/containerd/certs.d/"+repositoryName, "hosts.toml"), 0x644) + if err != nil { + return err + } + err = cli.CopyToContainer(context.Background(), + containerID, "/", + buffer, + container.CopyToContainerOptions{ + AllowOverwriteDirWithFile: true, + }) + if err != nil { + return errors.Wrap(err, "unable to copy file to container") + } + + return nil +} + +func DocumentLocalRegistry(client *kubernetes.Clientset) error { + yamlBytes, err := yttyaml.Marshal(`host: "localhost:5001"`) + if err != nil { + return err + } + + configMap := &apiv1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "local-registry-hosting", + Namespace: "kube-public", + }, + Data: map[string]string{ + "localRegistryHosting.v1": string(yamlBytes), + }, + } + + if _, err := client.CoreV1().ConfigMaps("kube-public").Get(context.TODO(), "local-registry-hosting", metav1.GetOptions{}); k8serrors.IsNotFound(err) { + _, err = client.CoreV1().ConfigMaps("kube-public").Create(context.TODO(), configMap, metav1.CreateOptions{}) + if err != nil { + return errors.Wrap(err, "unable to create local registry hosting config map") + } + } else { + _, err = client.CoreV1().ConfigMaps("kube-public").Update(context.TODO(), configMap, metav1.UpdateOptions{}) + if err != nil { + return errors.Wrap(err, "unable to update local registry hosting config map") + } + } + + return nil +} + func LinkRegistryToCluster() error { ctx := context.Background() @@ -157,7 +247,7 @@ func DeleteRegistry() error { return errors.Wrap(err, "unable to stop registry container") } - err = cli.ContainerRemove(ctx, "educates-registry", types.ContainerRemoveOptions{}) + err = cli.ContainerRemove(ctx, "educates-registry", container.RemoveOptions{}) if err != nil { return errors.Wrap(err, "unable to delete registry container") @@ -254,3 +344,115 @@ func UpdateRegistryService(k8sclient *kubernetes.Clientset) error { return nil } + +func PruneRegistry() error { + ctx := context.Background() + + fmt.Println("Pruning local image registry") + + cli, err := client.NewClientWithOpts(client.FromEnv) + + if err != nil { + return errors.Wrap(err, "unable to create docker client") + } + + containerID, _ := getContainerInfo("educates-registry") + + cmdStatement := []string{"registry", "garbage-collect", "/etc/docker/registry/config.yml", "--delete-untagged=true"} + + optionsCreateExecuteScript := container.ExecOptions{ + AttachStdout: false, + AttachStderr: false, + Cmd: cmdStatement, + } + + response, err := cli.ContainerExecCreate(ctx, containerID, optionsCreateExecuteScript) + if err != nil { + return errors.Wrap(err, "unable to create exec command") + } + err = cli.ContainerExecStart(ctx, response.ID, container.ExecStartOptions{}) + if err != nil { + return errors.Wrap(err, "unable to exec command") + } + + fmt.Println("Registry pruned succesfully") + + return nil +} + +func getContainerInfo(containerName string) (containerID string, status string) { + ctx := context.Background() + + cli, err := client.NewClientWithOpts(client.FromEnv) + if err != nil { + panic(err) + } + + filters := filters.NewArgs() + filters.Add( + "name", containerName, + ) + + resp, err := cli.ContainerList(ctx, container.ListOptions{Filters: filters}) + if err != nil { + panic(err) + } + + if len(resp) > 0 { + containerID = resp[0].ID + containerStatus := strings.Split(resp[0].Status, " ") + status = containerStatus[0] //fmt.Println(status[0]) + } else { + fmt.Printf("container '%s' does not exists\n", containerName) + } + + return +} + +func tarFile(fileContent []byte, basePath string, fileMode int64) (*bytes.Buffer, error) { + buffer := &bytes.Buffer{} + + zr := gzip.NewWriter(buffer) + tw := tar.NewWriter(zr) + + hdr := &tar.Header{ + Name: basePath, + Mode: fileMode, + Size: int64(len(fileContent)), + } + if err := tw.WriteHeader(hdr); err != nil { + return buffer, err + } + if _, err := tw.Write(fileContent); err != nil { + return buffer, err + } + + // produce tar + if err := tw.Close(); err != nil { + return buffer, fmt.Errorf("error closing tar file: %w", err) + } + // produce gzip + if err := zr.Close(); err != nil { + return buffer, fmt.Errorf("error closing gzip file: %w", err) + } + + return buffer, nil +} + +func ValidateAndResolveIP(bindIP string) (string, error) { + if bindIP == "" { + return "", errors.New("bind ip cannot be empty") + } + + ip := net.ParseIP(bindIP) + if ip == nil { + // Check if bindIP is a valid domain name + ip, err := net.LookupHost(bindIP) + if err != nil { + return "", errors.New("bind ip is not a valid IP address or a domain name that resolves to an IP address") + } + return ip[0], nil + } + + return ip.String(), nil +} diff --git a/client-programs/pkg/renderer/hugo.go b/client-programs/pkg/renderer/hugo.go index da36d4cb6..9c60a6535 100644 --- a/client-programs/pkg/renderer/hugo.go +++ b/client-programs/pkg/renderer/hugo.go @@ -106,12 +106,12 @@ type WorkshopConfig struct { var workshopSessionResource = schema.GroupVersionResource{Group: "training.educates.dev", Version: "v1beta1", Resource: "workshopsessions"} -func fetchWorkshopSessionAndValidate(kubeconfig string, workshop string, portal string, session string) (string, string, error) { +func fetchWorkshopSessionAndValidate(kubeconfig string, kubeContext string, workshop string, portal string, session string) (string, string, error) { // Returns session URL, config password and error. var err error - clusterConfig := cluster.NewClusterConfig(kubeconfig) + clusterConfig := cluster.NewClusterConfig(kubeconfig, kubeContext) dynamicClient, err := clusterConfig.GetDynamicClient() @@ -345,6 +345,7 @@ func startHugoServer(workshopDir string, tempDir string, port int, sessionURL st commandPath, err := exec.LookPath("hugo") if err != nil { + fmt.Println("ERROR: Unable to find hugo program") return errors.Wrapf(err, "unable to find hugo program") } @@ -391,7 +392,7 @@ func populateTemporaryDirectory() (string, error) { type ServerCleanupFunc func() -func RunHugoServer(workshopRoot string, kubeconfig string, workshop string, portal string, localHost string, localPort int, hugoPort int, token string, files bool, cleanupFunc ServerCleanupFunc) error { +func RunHugoServer(workshopRoot string, kubeconfig string, context string, workshop string, portal string, localHost string, localPort int, hugoPort int, token string, files bool, cleanupFunc ServerCleanupFunc) error { var err error var tempDir string @@ -462,7 +463,7 @@ func RunHugoServer(workshopRoot string, kubeconfig string, workshop string, port if sessionName != lastSessionName { // First validate that can access workshop session. - sessionURL, password, err := fetchWorkshopSessionAndValidate(kubeconfig, workshop, portal, sessionName) + sessionURL, password, err := fetchWorkshopSessionAndValidate(kubeconfig, context, workshop, portal, sessionName) if err != nil { fmt.Println("Error validating workshop session:", err) diff --git a/client-programs/pkg/resolver/resolver.go b/client-programs/pkg/resolver/resolver.go index 6a40849c3..dcf347ee8 100644 --- a/client-programs/pkg/resolver/resolver.go +++ b/client-programs/pkg/resolver/resolver.go @@ -9,14 +9,14 @@ import ( "os" "path" - "github.com/adrg/xdg" - "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" + "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/mount" "github.com/docker/docker/client" "github.com/docker/go-connections/nat" "github.com/pkg/errors" "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" ) const dnsmasqConfigTemplateData = ` @@ -55,7 +55,7 @@ func DeployResolver(domain string, targetAddress string, extraDomains []string) return nil } - reader, err := cli.ImagePull(ctx, "docker.io/jpillora/dnsmasq:latest", types.ImagePullOptions{}) + reader, err := cli.ImagePull(ctx, "docker.io/jpillora/dnsmasq:latest", image.PullOptions{}) if err != nil { return errors.Wrap(err, "cannot pull dnsmasq image") } @@ -99,7 +99,7 @@ func DeployResolver(domain string, targetAddress string, extraDomains []string) return errors.Wrap(err, "failed to generate dnsmasq config") } - configFileDir := path.Join(xdg.DataHome, "educates") + configFileDir := utils.GetEducatesHomeDir() configFileName := path.Join(configFileDir, "dnsmasq.conf") _ = os.Mkdir(configFileDir, os.ModePerm) @@ -149,7 +149,7 @@ func DeployResolver(domain string, targetAddress string, extraDomains []string) return errors.Wrap(err, "cannot create resolver container") } - if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil { + if err := cli.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil { return errors.Wrap(err, "unable to start resolver") } @@ -188,7 +188,7 @@ func DeleteResolver() error { return errors.Wrap(err, "unable to stop DNS resolver container") } - err = cli.ContainerRemove(ctx, "educates-resolver", types.ContainerRemoveOptions{}) + err = cli.ContainerRemove(ctx, "educates-resolver", container.RemoveOptions{}) if err != nil { return errors.Wrap(err, "unable to delete DNS resolver container") diff --git a/client-programs/pkg/cmd/admin_secrets_cmd_group.go b/client-programs/pkg/secrets/secrets.go similarity index 51% rename from client-programs/pkg/cmd/admin_secrets_cmd_group.go rename to client-programs/pkg/secrets/secrets.go index c9f4d0dff..c9bba736d 100644 --- a/client-programs/pkg/cmd/admin_secrets_cmd_group.go +++ b/client-programs/pkg/secrets/secrets.go @@ -1,4 +1,4 @@ -package cmd +package secrets import ( "context" @@ -6,9 +6,8 @@ import ( "path" "strings" - "github.com/adrg/xdg" "github.com/pkg/errors" - "github.com/spf13/cobra" + "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/utils" apiv1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -17,44 +16,13 @@ import ( applycorev1 "k8s.io/client-go/applyconfigurations/core/v1" "k8s.io/client-go/kubernetes" "k8s.io/kubectl/pkg/scheme" - "k8s.io/kubectl/pkg/util/templates" ) -func (p *ProjectInfo) NewAdminSecretsCmdGroup() *cobra.Command { - var c = &cobra.Command{ - Use: "secrets", - Short: "Manage local secrets cache", - } - - // Use a command group as it allows us to dictate the order in which they - // are displayed in the help message, as otherwise they are displayed in - // sort order. - - commandGroups := templates.CommandGroups{ - { - Message: "Available Commands:", - Commands: []*cobra.Command{ - p.NewAdminSecretsAddCmdGroup(), - p.NewAdminSecretsListCmd(), - p.NewAdminSecretsExportCmd(), - p.NewAdminSecretsImportCmd(), - p.NewAdminSecretsSyncCmd(), - p.NewAdminSecretsRemoveCmd(), - }, - }, - } - - commandGroups.Add(c) - - templates.ActsAsRootCommand(c, []string{"--help"}, commandGroups...) - - return c -} +var secretsCacheDir = path.Join(utils.GetEducatesHomeDir(), "secrets") -func CachedSecretForIngressDomain(domain string) string { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") +const secretsNS = "educates-secrets" +func LocalCachedSecretForIngressDomain(domain string) string { files, err := os.ReadDir(secretsCacheDir) if err != nil { @@ -64,45 +32,24 @@ func CachedSecretForIngressDomain(domain string) string { for _, f := range files { if strings.HasSuffix(f.Name(), ".yaml") { name := strings.TrimSuffix(f.Name(), ".yaml") - fullPath := path.Join(secretsCacheDir, f.Name()) - - yamlData, err := os.ReadFile(fullPath) - - if err != nil { - continue - } - - decoder := serializer.NewCodecFactory(scheme.Scheme).UniversalDecoder() - secretObj := &apiv1.Secret{} - err = runtime.DecodeInto(decoder, yamlData, secretObj) - + secretObj, err := decodeFileIntoSecret(f.Name()) if err != nil { continue } annotations := secretObj.ObjectMeta.Annotations - var val string - var found bool - // Domain name must match. - - if val, found = annotations["training.educates.dev/domain"]; !found { - continue - } - - if val != domain { + if val, found := annotations["training.educates.dev/domain"]; !found || val != domain { continue } // Type of secret needs to be kubernetes.io/tls. - if secretObj.Type != "kubernetes.io/tls" { continue } // Needs contain tls.crt and tls.key data. - if value, exists := secretObj.Data["tls.crt"]; !exists || len(value) == 0 { continue } @@ -118,10 +65,7 @@ func CachedSecretForIngressDomain(domain string) string { return "" } -func CachedSecretForCertificateAuthority(domain string) string { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") - +func LocalCachedSecretForCertificateAuthority(domain string) string { files, err := os.ReadDir(secretsCacheDir) if err != nil { @@ -131,45 +75,24 @@ func CachedSecretForCertificateAuthority(domain string) string { for _, f := range files { if strings.HasSuffix(f.Name(), ".yaml") { name := strings.TrimSuffix(f.Name(), ".yaml") - fullPath := path.Join(secretsCacheDir, f.Name()) - - yamlData, err := os.ReadFile(fullPath) - - if err != nil { - continue - } - - decoder := serializer.NewCodecFactory(scheme.Scheme).UniversalDecoder() - secretObj := &apiv1.Secret{} - err = runtime.DecodeInto(decoder, yamlData, secretObj) - + secretObj, err := decodeFileIntoSecret(f.Name()) if err != nil { continue } annotations := secretObj.ObjectMeta.Annotations - var val string - var found bool - // Domain name must match. - - if val, found = annotations["training.educates.dev/domain"]; !found { - continue - } - - if val != domain { + if val, found := annotations["training.educates.dev/domain"]; !found || val != domain { continue } // Type of secret needs to be Opaque. - if secretObj.Type != "Opaque" && secretObj.Type != "" { continue } // Needs contain ca.crt data. - if value, exists := secretObj.Data["ca.crt"]; !exists || len(value) == 0 { continue } @@ -181,10 +104,10 @@ func CachedSecretForCertificateAuthority(domain string) string { return "" } -func SyncSecretsToCluster(client *kubernetes.Clientset) error { - configFileDir := path.Join(xdg.DataHome, "educates") - secretsCacheDir := path.Join(configFileDir, "secrets") - +/** + * SyncSecretsToCluster copies secrets from the local cache to the cluster. + */ +func SyncLocalCachedSecretsToCluster(client *kubernetes.Clientset) error { err := os.MkdirAll(secretsCacheDir, os.ModePerm) if err != nil { @@ -193,19 +116,19 @@ func SyncSecretsToCluster(client *kubernetes.Clientset) error { namespacesClient := client.CoreV1().Namespaces() - _, err = namespacesClient.Get(context.TODO(), "educates-secrets", metav1.GetOptions{}) + _, err = namespacesClient.Get(context.TODO(), secretsNS, metav1.GetOptions{}) if k8serrors.IsNotFound(err) { namespaceObj := apiv1.Namespace{ ObjectMeta: metav1.ObjectMeta{ - Name: "educates-secrets", + Name: secretsNS, }, } namespacesClient.Create(context.TODO(), &namespaceObj, metav1.CreateOptions{}) } - secretsClient := client.CoreV1().Secrets("educates-secrets") + secretsClient := client.CoreV1().Secrets(secretsNS) files, err := os.ReadDir(secretsCacheDir) @@ -216,26 +139,16 @@ func SyncSecretsToCluster(client *kubernetes.Clientset) error { for _, f := range files { if strings.HasSuffix(f.Name(), ".yaml") { name := strings.TrimSuffix(f.Name(), ".yaml") - fullPath := path.Join(secretsCacheDir, f.Name()) - - yamlData, err := os.ReadFile(fullPath) - + secretObj, err := decodeFileIntoSecret(f.Name()) if err != nil { - continue - } - - decoder := serializer.NewCodecFactory(scheme.Scheme).UniversalDecoder() - secretObj := &apiv1.Secret{} - err = runtime.DecodeInto(decoder, yamlData, secretObj) - - if err != nil { - return errors.Wrapf(err, "unable to read secret file %q", fullPath) + return err } secretObj.ObjectMeta.Namespace = "" _, err = secretsClient.Get(context.TODO(), name, metav1.GetOptions{}) + // Create the secret if it doesn't exist. if err != nil { if !k8serrors.IsNotFound(err) { return errors.Wrap(err, "unable to read secrets from cluster") @@ -246,13 +159,14 @@ func SyncSecretsToCluster(client *kubernetes.Clientset) error { return errors.Wrapf(err, "unable to copy secret to cluster %q", name) } } + // Update the secret if it does exist. } else { var patch *applycorev1.SecretApplyConfiguration if len(secretObj.StringData) != 0 { - patch = applycorev1.Secret(name, "educates-secrets").WithType(secretObj.Type).WithStringData(secretObj.StringData) + patch = applycorev1.Secret(name, secretsNS).WithType(secretObj.Type).WithStringData(secretObj.StringData) } else { - patch = applycorev1.Secret(name, "educates-secrets").WithType(secretObj.Type).WithData(secretObj.Data) + patch = applycorev1.Secret(name, secretsNS).WithType(secretObj.Type).WithData(secretObj.Data) } _, err = secretsClient.Apply(context.TODO(), patch, metav1.ApplyOptions{FieldManager: "educates-cli", Force: true}) @@ -266,3 +180,20 @@ func SyncSecretsToCluster(client *kubernetes.Clientset) error { return nil } + +func decodeFileIntoSecret(fileName string) (*apiv1.Secret, error) { + fullPath := path.Join(secretsCacheDir, fileName) + + yamlData, err := os.ReadFile(fullPath) + if err != nil { + return nil, errors.Wrapf(err, "unable to read secret file %q", fullPath) + } + + decoder := serializer.NewCodecFactory(scheme.Scheme).UniversalDecoder() + secretObj := &apiv1.Secret{} + err = runtime.DecodeInto(decoder, yamlData, secretObj) + if err != nil { + return nil, errors.Wrapf(err, "unable to read secret file %q", fullPath) + } + return secretObj, nil +} diff --git a/client-programs/pkg/services/services.go b/client-programs/pkg/services/services.go deleted file mode 100644 index d2f650bc0..000000000 --- a/client-programs/pkg/services/services.go +++ /dev/null @@ -1,304 +0,0 @@ -package services - -import ( - "context" - "fmt" - "time" - - "github.com/pkg/errors" - "gopkg.in/yaml.v2" - apiv1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/apimachinery/pkg/watch" - - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster" - "github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config" -) - -var kappAppResource = schema.GroupVersionResource{Group: "kappctrl.k14s.io", Version: "v1alpha1", Resource: "apps"} - -func DeployServices(version string, packageRepository string, clusterConfig *cluster.ClusterConfig, servicesConfig *config.ClusterEssentialsConfig) error { - fmt.Println("Deploying cluster services ...") - - client, err := clusterConfig.GetClient() - - if err != nil { - return err - } - - serviceConfigData, err := yaml.Marshal(servicesConfig) - - if err != nil { - return errors.Wrap(err, "failed to generate service config") - } - - namespacesClient := client.CoreV1().Namespaces() - - _, err = namespacesClient.Get(context.TODO(), "educates-package", metav1.GetOptions{}) - - if k8serrors.IsNotFound(err) { - namespaceObj := apiv1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-package", - }, - } - - _, err = namespacesClient.Create(context.TODO(), &namespaceObj, metav1.CreateOptions{}) - } - - secretsClient := client.CoreV1().Secrets("educates-package") - - secret := &apiv1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-cluster-essentials-values", - }, - Data: map[string][]byte{ - "values.yml": serviceConfigData, - }, - } - - _, err = secretsClient.Create(context.TODO(), secret, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create services config secret") - } - - serviceAccountsClient := client.CoreV1().ServiceAccounts("educates-package") - - serviceAccount := &apiv1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-cluster-essentials-deploy", - }, - } - - _, err = serviceAccountsClient.Create(context.TODO(), serviceAccount, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create services service account") - } - - clusterRoleBindingClient := client.RbacV1().ClusterRoleBindings() - - clusterRoleBinding := &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: "educates-cluster-essentials-deploy", - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "cluster-admin", - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: "educates-cluster-essentials-deploy", - Namespace: "educates-package", - }, - }, - } - - _, err = clusterRoleBindingClient.Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create services role binding") - } - - var bundleImageRef string - - if version == "latest" { - bundleImageRef = "registry.default.svc.cluster.local/educates-cluster-essentials:0.0.1" - } else { - bundleImageRef = fmt.Sprintf("%s/educates-cluster-essentials:%s", packageRepository, version) - } - - appResource := &unstructured.Unstructured{} - appResource.SetUnstructuredContent(map[string]interface{}{ - "apiVersion": "kappctrl.k14s.io/v1alpha1", - "kind": "App", - "metadata": map[string]interface{}{ - "name": "educates-cluster-essentials", - "namespace": "educates-package", - "labels": map[string]string{ - "training.educates.dev/package": "cluster-essentials", - }, - }, - "spec": map[string]interface{}{ - "serviceAccountName": "educates-cluster-essentials-deploy", - "syncPeriod": "1h", - "fetch": []map[string]interface{}{ - { - "imgpkgBundle": map[string]interface{}{ - "image": bundleImageRef, - }, - }, - }, - "template": []map[string]interface{}{ - { - "ytt": map[string]interface{}{ - "paths": []string{ - "config", - }, - "valuesFrom": []map[string]interface{}{ - { - "secretRef": map[string]interface{}{ - "name": "educates-cluster-essentials-values", - }, - }, - }, - }, - }, - { - "kbld": map[string]interface{}{ - "paths": []string{ - ".imgpkg/images.yml", - "-", - }, - }, - }, - }, - "deploy": []map[string]interface{}{ - { - "kapp": map[string]interface{}{ - "rawOptions": []string{ - "--app-changes-max-to-keep=5", - }, - }, - }, - }, - }, - }) - - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - _, err = appResourceClient.Create(context.TODO(), appResource, metav1.CreateOptions{}) - - if err != nil { - return errors.Wrap(err, "unable to create services app resource") - } - - if err := wait.Poll(time.Duration(1)*time.Second, time.Duration(10)*time.Minute, func() (done bool, err error) { - resource, err := appResourceClient.Get(context.TODO(), "educates-cluster-essentials", metav1.GetOptions{}) - - if err != nil { - return false, err - } - - observedGeneration, exists, err := unstructured.NestedInt64(resource.Object, "status", "observedGeneration") - - if err != nil || !exists || resource.GetGeneration() != observedGeneration { - return false, err - } - - conditions, exists, err := unstructured.NestedSlice(resource.Object, "status", "conditions") - - if !exists { - return false, err - } - - statusUsefulErrorMessage, _, _ := unstructured.NestedString(resource.Object, "status.usefulErrorMessage") - statusFriendlyDescription, _, _ := unstructured.NestedString(resource.Object, "status.friendlyDescription") - - for _, condition := range conditions { - conditionObject := condition.(map[string]interface{}) - - conditionType, _, _ := unstructured.NestedString(conditionObject, "type") - conditionStatus, _, _ := unstructured.NestedString(conditionObject, "status") - - switch { - case conditionType == "ReconcileSucceeded" && conditionStatus == string(apiv1.ConditionTrue): - return true, nil - case conditionType == "ReconcileFailed" && conditionStatus == string(apiv1.ConditionTrue): - return false, fmt.Errorf("%s. %s", statusUsefulErrorMessage, statusFriendlyDescription) - } - } - return false, nil - }); err != nil { - return fmt.Errorf("%s: Reconciling: educates-package/educates-cluster-essentials", err) - } - - return nil -} - -func DeleteServices(clusterConfig *cluster.ClusterConfig, servicesConfig *config.ClusterEssentialsConfig) error { - dynamicClient, err := clusterConfig.GetDynamicClient() - - if err != nil { - return err - } - - appResourceClient := dynamicClient.Resource(kappAppResource).Namespace("educates-package") - - err = appResourceClient.Delete(context.TODO(), "educates-cluster-essentials", metav1.DeleteOptions{}) - - if err == nil { - timeout := int64(300) - - watcher, err := appResourceClient.Watch(context.TODO(), metav1.ListOptions{ - LabelSelector: "training.educates.dev/package=cluster-essentials", - TimeoutSeconds: &timeout, - }) - - if err != nil { - return err - } - - defer watcher.Stop() - - watch: - for { - select { - case event := <-watcher.ResultChan(): - if event.Type == watch.Deleted { - break watch - } - case <-context.TODO().Done(): - return errors.New("timeout waiting for service deletion") - } - } - } else { - // return err - } - - client, err := clusterConfig.GetClient() - - if err != nil { - return err - } - - clusterRoleBindingClient := client.RbacV1().ClusterRoleBindings() - - err = clusterRoleBindingClient.Delete(context.TODO(), "educates-cluster-essentials-deploy", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - serviceAccountsClient := client.CoreV1().ServiceAccounts("educates-package") - - err = serviceAccountsClient.Delete(context.TODO(), "educates-cluster-essentials-deploy", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - secretsClient := client.CoreV1().Secrets("educates-package") - - err = secretsClient.Delete(context.TODO(), "educates-cluster-essentials-values", metav1.DeleteOptions{}) - - // if err != nil { - // return err - // } - - return nil -} diff --git a/client-programs/pkg/templates/files/hugo/.gitignore b/client-programs/pkg/templates/files/hugo/.gitignore new file mode 100644 index 000000000..62c7b6daa --- /dev/null +++ b/client-programs/pkg/templates/files/hugo/.gitignore @@ -0,0 +1,2 @@ +workshop/.hugo_build.lock +workshop/public \ No newline at end of file diff --git a/client-programs/pkg/templates/internal.go b/client-programs/pkg/templates/internal.go index 0ba355cc9..0c1908d3b 100644 --- a/client-programs/pkg/templates/internal.go +++ b/client-programs/pkg/templates/internal.go @@ -11,7 +11,7 @@ import ( "github.com/pkg/errors" ) -//go:embed files/* +//go:embed all:files/* var workshopTemplates embed.FS type InternalTemplate string diff --git a/client-programs/pkg/utils/boolean_pointer.go b/client-programs/pkg/utils/boolean_pointer.go new file mode 100644 index 000000000..59b66b5fa --- /dev/null +++ b/client-programs/pkg/utils/boolean_pointer.go @@ -0,0 +1,5 @@ +package utils + +func BoolPointer(b bool) *bool { + return &b +} diff --git a/client-programs/pkg/utils/dirs.go b/client-programs/pkg/utils/dirs.go new file mode 100644 index 000000000..2a2ea6e68 --- /dev/null +++ b/client-programs/pkg/utils/dirs.go @@ -0,0 +1,11 @@ +package utils + +import ( + "path" + + "github.com/adrg/xdg" +) + +func GetEducatesHomeDir() string { + return path.Join(xdg.DataHome, "educates") +} diff --git a/client-programs/pkg/utils/files.go b/client-programs/pkg/utils/files.go new file mode 100644 index 000000000..d79a58e62 --- /dev/null +++ b/client-programs/pkg/utils/files.go @@ -0,0 +1,89 @@ +package utils + +import ( + "fmt" + "os" + "path" + "path/filepath" + "slices" + "strings" + + "carvel.dev/ytt/pkg/yamlmeta" + "github.com/pkg/errors" +) + +func PrintYamlFilesInDir(dir string, args []string) error { + files, err := os.ReadDir(dir) + + if err != nil { + return errors.Wrapf(err, "unable to read directory") + } + + count := 0 + + for _, f := range files { + if strings.HasSuffix(f.Name(), ".yaml") { + name := strings.TrimSuffix(f.Name(), ".yaml") + fullPath := path.Join(dir, f.Name()) + + if len(args) == 0 || slices.Contains(args, name) { + yamlData, err := os.ReadFile(fullPath) + + if err != nil { + continue + } + + if len(yamlData) == 0 || string(yamlData) == "\n" { + continue + } + + // if count != 0 { + fmt.Println("---") + // } + + fmt.Print(string(yamlData)) + + count = count + 1 + } + } + } + return nil +} + +func WriteYamlByteArrayItemsToDir(files [][]byte, dir string) error { + for i, doc := range files { + file, err := os.Create(filepath.Join(dir, fmt.Sprintf("install_%.3d.yaml", i))) + if err != nil { + fmt.Printf("Failed to create file: %v\n", err) + return err + } + defer file.Close() + + _, err = file.Write(doc) + if err != nil { + fmt.Printf("Failed to write to file: %v\n", err) + return err + } + } + return nil +} + +func WriteYamlDocSetItemsToDir(fileSet *yamlmeta.DocumentSet, dir string) error { + for i, doc := range fileSet.Items { + file, err := os.Create(filepath.Join(dir, fmt.Sprintf("install_%.3d.yaml", i))) + if err != nil { + fmt.Printf("Failed to create file: %v\n", err) + return err + } + defer file.Close() + + // Write the doc to the file + bytes, _ := doc.AsYAMLBytes() + _, err = file.WriteString(string(bytes)) + if err != nil { + fmt.Printf("Failed to write to file: %v\n", err) + return err + } + } + return nil +} diff --git a/developer-docs/build-instructions.md b/developer-docs/build-instructions.md index a8f147be5..88d102733 100644 --- a/developer-docs/build-instructions.md +++ b/developer-docs/build-instructions.md @@ -8,10 +8,10 @@ Local Kubernetes environment To do development on the core Educates platform you will need access to a Kubernetes cluster. For this we recommend you use a local Kubernetes cluster created using [Kind](https://kind.sigs.k8s.io/). Rather than you create this Kind cluster yourself, you can create it using the `educates` CLI. This will ensure that the Kind cluster is setup properly for how the Educates code is structured for doing local development. -When creating a local Kubernetes cluster with Educates the `educates create-cluster` command is used. For the case of wanting to do local development on Educates itself, you need to disable installation of the services required by Educates, and the core Educates platform. This is done using the command: +When creating a local Kubernetes cluster with Educates the `educates create-cluster` command is used. For the case of wanting to do local development on Educates itself, you need to disable installation of the services required by Educates, and the core Educates platform. Provided you are using version 3.0 or later of the Educates CLI this is done using the command: ``` -educates create-cluster --with-services=false --with-platform=false +educates create-cluster --cluster-only ``` You can subsequently delete the local Kubernetes environment by running: @@ -29,117 +29,75 @@ When the local Kubernetes cluster is created using `educates create-cluster`, a The docker image registry will be available at `localhost:5001` and will be used to hold container images built from the Educates source code. This image registry will also be used as the source of images when Educates is deployed to the local Kubernetes cluster. -If over time the amount of storage consumed by the local docker image registry increases to the point where overall available space within the local docker environment runs low, you can try to clean out unreferenced image layers by running: +If over time the amount of storage consumed by the local docker image cache increases to the point where overall available space within the local docker environment runs low, you can try to clean out unreferenced image layers by running: ``` docker image prune ``` -If you need to delete the local docker image registry and redeloy it, you can run: +The local docker image registry created using the Educates CLI can also grow in size due to unreferenced images. To prune unreferenced image layers kept by the local docker image registry you can run: ``` -educates admin registry delete +educates local registry prune ``` -to delete it, and: - -``` -educates admin registry deploy -``` - -to recreate it. - -Note that this later command will create/update service resources in the Kubernetes cluster which are used to map and make available the local docker registry in the cluster. The original `educates create-cluster` command will also configure `containerd` within the Kubernetes cluster to trust the local docker image registry. It is thus important to use the `educates` CLI to deploy the local docker image registry rather than attempting to deploy a local docker image registry yourself. - -Ingress router and other services ---------------------------------- - -Educates requires a functional ingress router to be deployed to the Kubernetes cluster. To make it easier to install this Educates provides the `educates-cluster-essentials`. This package includes the Contour ingress router as well as other services required by Educates. - -If you are not working on code changes to the `educates-cluster-essentials` package itself, you can use the `educates` CLI to install a previously released version of the package by running: +If you need to delete the local docker image registry and redeloy it, you can run: ``` -educates admin services deploy +educates local registry delete ``` -You could also have left out the `--with-services=false` option to `educates create-cluster` when creating the local Kubernetes cluster. - -When this package is installed using the `educates` CLI, it is required that `kapp-controller` be installed into the Kubernetes cluster. This is something you do not need to do though as `kapp-controller` will be automatically installed by the `educates create-cluster` command. - -Note that the version of the package which is installed will be that which corresponds to the version of the `educates` CLI being used. If you have compiled the `educates` CLI from local source code, then it will be tagged as being the `develop` version and the `develop` versions of the packages available on GitHub container registry may be out of date at any particular time. Thus if using locally compiled `educates` CLI, you should specify the version to be used. +to delete it, and: ``` -educates admin services deploy --version X.Y.Z +educates local registry deploy ``` -Normally you would pick whatever is the latest Educates version. +to recreate it. You will however need to push any previously built images to the local docker image registry again if this is done. -If needing to delete all the services deployed using the `educates-cluster-essentials` package using the `educates` CLI you can run the command: +Note that this later command will create/update service resources in the Kubernetes cluster which are used to map and make available the local docker registry in the cluster. The original `educates create-cluster` command will also configure `containerd` within the Kubernetes cluster to trust the local docker image registry. It is thus important to use the `educates` CLI to deploy the local docker image registry rather than attempting to deploy a local docker image registry yourself. -``` -educates admin services delete -``` +Defining installer configuration +-------------------------------- -If you are going to be working on the `educates-cluster-essentials` package, you should instead install it from the local source code by running: +Before building and deploying Educates from source code, you will need to supply a configuration file providing details of the target cluster and what is to be installed. This configuration should be placed in the file: ``` -make deploy-cluster-essentials +developer-testing/educates-installer-values.yaml ``` -To avoid some of the complexity of using `kapp-controller` this will use `kapp` rather than `kapp-controller`. +within the Educates source code directory. -If needing to test that the `educates-cluster-essentials` package bundle for `kapp-controller` is itself correct, you should instead use the commands: +Where deploying to the local Kind cluster created using the Educates CLI, you can create this by running: ``` -make push-cluster-essentials-bundle -make deploy-cluster-essentials-bundle +educates local config view > developer-testing/educates-installer-values.yaml ``` -To delete all the services deployed using the `educates-cluster-essentials` package when using the `make` command, use: +this should contain at least: ``` -make delete-cluster-essentials -``` - -or: +clusterInfrastructure: + provider: kind -``` -make delete-cluster-essentials-bundle +clusterIngress: + domain: 192.168.1.1.nip.io ``` -as appropriate. +By setting the `provider` as `kind`, an opinionated configuration suitable for a Kubernetes cluster created using Kind will be used. This includes the automatic deployment and configuration of an ingress router for the cluster using Contour, and the installation of Kyverno for implementing cluster and workshop security policies. -Note that because the core Educates platform has dependencies on this package, if deleting this package you should first delete the core Educates platform, and reinstall it after this package has been reinstalled. +The `domain` should be set to be a `nip.io` address mapping to the IP address of your local host where you are doing development, or some other FQDN which maps to your local host. -Installing the Educates platform --------------------------------- - -If working on the `educates-cluster-essentials` package and installing it from local source code, and you need to install the core Educates platform on top, it is available as the `educates-training-platform` package. - -To install this using a previously released version of the package you can run: - -``` -educates admin platform deploy -``` - -Note that the version of the package which is installed will be that which corresponds to the version of the `educates` CLI being used. If you have compiled the `educates` CLI from local source code, then it will be tagged as being the `develop` version and the `develop` versions of the packages available on GitHub container registry may be out of date at any particular time. Thus if using locally compiled `educates` CLI, you should specify the version to be used. - -``` -educates admin platform deploy --version X.Y.Z -``` - -Normally you would pick whatever is the latest Educates version. - -If needing to delete all the services deployed using the `educates-training-platform` package using the `educates` CLI you can run the command: +If the configuration requires additional secrets these will need added to the local Kubernetes cluster in the namespace required by the configuration. If these secrets had previously been added to the local secrets cache, you can copy them to the local Kubernetes cluster by running: ``` -educates admin platform delete +educates local secrets sync ``` Building Educates platform images --------------------------------- -If you will be working on the core Educates platform, you will first need to build the container images for the `educates-training-platform` package. To do this you can run: +To build the container images for the Educates training platform you can run: ``` make push-core-images @@ -158,48 +116,36 @@ make push-training-portal See the [Makefile](../Makefile) for more details of the make targets that are available. -Once the container images have been built and pushed to the local docker image registry, you can then deploy the core Educates platform by running: +Once the container images have been built and pushed to the local docker image registry, you can then deploy everything by running: ``` -make deploy-training-platform +make deploy-platform ``` -As with the `educates-cluster-essentials` package, to avoid some of the complexity of using `kapp-controller` this will use `kapp` rather than `kapp-controller`. - -If needing to test that the `educates-training-platform` package bundle for `kapp-controller` is itself correct, you should instead use the commands: +This will perform an install directly from configuration files in the current directory. If needing to test that the `educates-installer` package bundle used by the Educates CLI installer and also `kapp-controller`, is correct, you should instead use the commands: ``` make push-all-images -make push-training-platform-bundle -make deploy-training-platform-bundle +make push-installer-bundle +make deploy-platform-bundle ``` The `make push-all-images` command will make sure that optional workshop base images as well as the core Educates platform are built. It is necessary to build all images when testing the package bundle as the package generated will include image hashes for all images. -To delete all the services deployed using the `educates-training-platform` package when using the `make` command, use: +To delete everything deployed using the `educates-installer` package when using the `make` command, use: ``` -make delete-training-platform +make delete-platform ``` or: ``` -make delete-training-platform-bundle +make delete-platform-bundle ``` as appropriate. -Overriding default configuration --------------------------------- - -When deploying the `educates-cluster-essentials` and `educates-training-platform` packages from local source code the builtin defaults for configuration will be used. If you need to override these you need to provide appropriate data values files in the `developer-testing` subdirectory. - -* developer-testing/educates-cluster-essentials-values.yaml -* developer-testing/educates-training-platform-values.yaml - -For specific details on what these need to provide see the main Educates documentation about configuration settings for Educates when deploying using the Carvel packages. - Building additional workshop images ----------------------------------- @@ -237,9 +183,17 @@ make build-client-programs You can then run the `educates` CLI program from the `client-programs/bin` subdirectory. The name of the compiled CLI will incorporate the target system and machine architecture, e.g.: `educates-linux-amd64`. -Note that when building the `educates` CLI from local source code, the embedded project version will be `develop`. If you are running it to test creation of an Educates cluster, or installing the cluster essentials or training platform packages, you will need to tell it what previously released versions of the package should be used. This can be done using the `--version` of sub commands where this is necessary. +Note that when building the `educates` CLI from local source code, the embedded project version will be `develop`. If you are running it to test creation of the local Kubernetes cluster with Educates using an existing version, you will need to tell it what previously released version of the package should be used. This can be done using the `--version` of sub commands where this is necessary. -If you have built and pushed to the local image registry the package bundles for `educates-cluster-essentials` and `educates-training-platform`, you can supply `latest` to the `--version` option and it will use the package bundles and images from the local image registry rather than those hosted on GitHub container registry. +``` +./client-programs/bin/educates-linux-amd64 create-cluster --version=3.0.0 +``` + +If you have built and pushed to the local image registry the package bundles for `educates-installer`, you will need to tell the CLI to use the package bundles and images from the local image registry rather than those hosted on GitHub container registry. This can be done by specifying the version to be `latest`. + +``` +./client-programs/bin/educates-linux-amd64 create-cluster --version=latest +``` Cleaning up available storage space ----------------------------------- diff --git a/docker-extension/ui/package-lock.json b/docker-extension/ui/package-lock.json index 12662396a..55ca7b024 100644 --- a/docker-extension/ui/package-lock.json +++ b/docker-extension/ui/package-lock.json @@ -2610,12 +2610,12 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -3176,9 +3176,9 @@ } }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dev": true, "dependencies": { "to-regex-range": "^5.0.1" diff --git a/go.work b/go.work new file mode 100644 index 000000000..19f9f1f5f --- /dev/null +++ b/go.work @@ -0,0 +1,3 @@ +go 1.22.5 + +use ./client-programs/ diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 000000000..7d67f7bcc --- /dev/null +++ b/go.work.sum @@ -0,0 +1,905 @@ +carvel.dev/kapp v0.59.2/go.mod h1:HAeURGw65eT00APPvnOQ8uDx5yvdrro2vtH5VYF1Zz0= +carvel.dev/ytt v0.47.0/go.mod h1:Xarf0th61vX6VY07l3KBSi3uaMCQ2UyPPiCPiaVpHME= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.99.0 h1:y/cM2iqGgGi5D5DQZl6D9STN/3dR/Vx5Mp8s752oJTY= +cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk= +cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME= +cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk= +cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14= +cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU= +cloud.google.com/go/accessapproval v1.7.2/go.mod h1:/gShiq9/kK/h8T/eEn1BTzalDvk0mZxJlhfw0p+Xuc0= +cloud.google.com/go/accesscontextmanager v1.8.2/go.mod h1:E6/SCRM30elQJ2PKtFMs2YhfJpZSNcJyejhuzoId4Zk= +cloud.google.com/go/aiplatform v1.51.1/go.mod h1:kY3nIMAVQOK2XDqDPHaOuD9e+FdMA6OOpfBjsvaFSOo= +cloud.google.com/go/analytics v0.21.4/go.mod h1:zZgNCxLCy8b2rKKVfC1YkC2vTrpfZmeRCySM3aUbskA= +cloud.google.com/go/apigateway v1.6.2/go.mod h1:CwMC90nnZElorCW63P2pAYm25AtQrHfuOkbRSHj0bT8= +cloud.google.com/go/apigeeconnect v1.6.2/go.mod h1:s6O0CgXT9RgAxlq3DLXvG8riw8PYYbU/v25jqP3Dy18= +cloud.google.com/go/apigeeregistry v0.7.2/go.mod h1:9CA2B2+TGsPKtfi3F7/1ncCCsL62NXBRfM6iPoGSM+8= +cloud.google.com/go/appengine v1.8.2/go.mod h1:WMeJV9oZ51pvclqFN2PqHoGnys7rK0rz6s3Mp6yMvDo= +cloud.google.com/go/area120 v0.8.2/go.mod h1:a5qfo+x77SRLXnCynFWPUZhnZGeSgvQ+Y0v1kSItkh4= +cloud.google.com/go/artifactregistry v1.14.3/go.mod h1:A2/E9GXnsyXl7GUvQ/2CjHA+mVRoWAXC0brg2os+kNI= +cloud.google.com/go/asset v1.15.1/go.mod h1:yX/amTvFWRpp5rcFq6XbCxzKT8RJUam1UoboE179jU4= +cloud.google.com/go/assuredworkloads v1.11.2/go.mod h1:O1dfr+oZJMlE6mw0Bp0P1KZSlj5SghMBvTpZqIcUAW4= +cloud.google.com/go/auth v0.7.2/go.mod h1:VEc4p5NNxycWQTMQEDQF0bd6aTMb6VgYDXEwiJJQAbs= +cloud.google.com/go/auth/oauth2adapt v0.2.3/go.mod h1:tMQXOfZzFuNuUxOypHlQEXgdfX5cuhwU+ffUuXRJE8I= +cloud.google.com/go/automl v1.13.2/go.mod h1:gNY/fUmDEN40sP8amAX3MaXkxcqPIn7F1UIIPZpy4Mg= +cloud.google.com/go/baremetalsolution v1.2.1/go.mod h1:3qKpKIw12RPXStwQXcbhfxVj1dqQGEvcmA+SX/mUR88= +cloud.google.com/go/batch v1.5.1/go.mod h1:RpBuIYLkQu8+CWDk3dFD/t/jOCGuUpkpX+Y0n1Xccs8= +cloud.google.com/go/beyondcorp v1.0.1/go.mod h1:zl/rWWAFVeV+kx+X2Javly7o1EIQThU4WlkynffL/lk= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.56.0/go.mod h1:KDcsploXTEY7XT3fDQzMUZlpQLHzE4itubHrnmhUrZA= +cloud.google.com/go/billing v1.17.2/go.mod h1:u/AdV/3wr3xoRBk5xvUzYMS1IawOAPwQMuHgHMdljDg= +cloud.google.com/go/binaryauthorization v1.7.1/go.mod h1:GTAyfRWYgcbsP3NJogpV3yeunbUIjx2T9xVeYovtURE= +cloud.google.com/go/certificatemanager v1.7.2/go.mod h1:15SYTDQMd00kdoW0+XY5d9e+JbOPjp24AvF48D8BbcQ= +cloud.google.com/go/channel v1.17.1/go.mod h1:xqfzcOZAcP4b/hUDH0GkGg1Sd5to6di1HOJn/pi5uBQ= +cloud.google.com/go/cloudbuild v1.14.1/go.mod h1:K7wGc/3zfvmYWOWwYTgF/d/UVJhS4pu+HAy7PL7mCsU= +cloud.google.com/go/clouddms v1.7.1/go.mod h1:o4SR8U95+P7gZ/TX+YbJxehOCsM+fe6/brlrFquiszk= +cloud.google.com/go/cloudtasks v1.12.2/go.mod h1:A7nYkjNlW2gUoROg1kvJrQGhJP/38UaWwsnuBDOBVUk= +cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.25.1 h1:ZRpHJedLtTpKgr3RV1Fx23NuaAEN1Zfx9hw1u4aJdjU= +cloud.google.com/go/compute v1.27.4 h1:XM8ulx6crjdl09XBfji7viFgZOEQuIxBwKmjRH9Rtmc= +cloud.google.com/go/compute v1.27.4/go.mod h1:7JZS+h21ERAGHOy5qb7+EPyXlQwzshzrx1x6L9JhTqU= +cloud.google.com/go/contactcenterinsights v1.11.1/go.mod h1:FeNP3Kg8iteKM80lMwSk3zZZKVxr+PGnAId6soKuXwE= +cloud.google.com/go/container v1.26.1/go.mod h1:5smONjPRUxeEpDG7bMKWfDL4sauswqEtnBK1/KKpR04= +cloud.google.com/go/containeranalysis v0.11.1/go.mod h1:rYlUOM7nem1OJMKwE1SadufX0JP3wnXj844EtZAwWLY= +cloud.google.com/go/datacatalog v1.18.1/go.mod h1:TzAWaz+ON1tkNr4MOcak8EBHX7wIRX/gZKM+yTVsv+A= +cloud.google.com/go/dataflow v0.9.2/go.mod h1:vBfdBZ/ejlTaYIGB3zB4T08UshH70vbtZeMD+urnUSo= +cloud.google.com/go/dataform v0.8.2/go.mod h1:X9RIqDs6NbGPLR80tnYoPNiO1w0wenKTb8PxxlhTMKM= +cloud.google.com/go/datafusion v1.7.2/go.mod h1:62K2NEC6DRlpNmI43WHMWf9Vg/YvN6QVi8EVwifElI0= +cloud.google.com/go/datalabeling v0.8.2/go.mod h1:cyDvGHuJWu9U/cLDA7d8sb9a0tWLEletStu2sTmg3BE= +cloud.google.com/go/dataplex v1.10.1/go.mod h1:1MzmBv8FvjYfc7vDdxhnLFNskikkB+3vl475/XdCDhs= +cloud.google.com/go/dataproc/v2 v2.2.1/go.mod h1:QdAJLaBjh+l4PVlVZcmrmhGccosY/omC1qwfQ61Zv/o= +cloud.google.com/go/dataqna v0.8.2/go.mod h1:KNEqgx8TTmUipnQsScOoDpq/VlXVptUqVMZnt30WAPs= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastore v1.15.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8= +cloud.google.com/go/datastream v1.10.1/go.mod h1:7ngSYwnw95YFyTd5tOGBxHlOZiL+OtpjheqU7t2/s/c= +cloud.google.com/go/deploy v1.13.1/go.mod h1:8jeadyLkH9qu9xgO3hVWw8jVr29N1mnW42gRJT8GY6g= +cloud.google.com/go/dialogflow v1.44.1/go.mod h1:n/h+/N2ouKOO+rbe/ZnI186xImpqvCVj2DdsWS/0EAk= +cloud.google.com/go/dlp v1.10.2/go.mod h1:ZbdKIhcnyhILgccwVDzkwqybthh7+MplGC3kZVZsIOQ= +cloud.google.com/go/documentai v1.23.2/go.mod h1:Q/wcRT+qnuXOpjAkvOV4A+IeQl04q2/ReT7SSbytLSo= +cloud.google.com/go/domains v0.9.2/go.mod h1:3YvXGYzZG1Temjbk7EyGCuGGiXHJwVNmwIf+E/cUp5I= +cloud.google.com/go/edgecontainer v1.1.2/go.mod h1:wQRjIzqxEs9e9wrtle4hQPSR1Y51kqN75dgF7UllZZ4= +cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU= +cloud.google.com/go/essentialcontacts v1.6.3/go.mod h1:yiPCD7f2TkP82oJEFXFTou8Jl8L6LBRPeBEkTaO0Ggo= +cloud.google.com/go/eventarc v1.13.1/go.mod h1:EqBxmGHFrruIara4FUQ3RHlgfCn7yo1HYsu2Hpt/C3Y= +cloud.google.com/go/filestore v1.7.2/go.mod h1:TYOlyJs25f/omgj+vY7/tIG/E7BX369triSPzE4LdgE= +cloud.google.com/go/firestore v1.13.0/go.mod h1:QojqqOh8IntInDUSTAh0c8ZsPYAr68Ma8c5DWOy8xb8= +cloud.google.com/go/functions v1.15.2/go.mod h1:CHAjtcR6OU4XF2HuiVeriEdELNcnvRZSk1Q8RMqy4lE= +cloud.google.com/go/gkebackup v1.3.2/go.mod h1:OMZbXzEJloyXMC7gqdSB+EOEQ1AKcpGYvO3s1ec5ixk= +cloud.google.com/go/gkeconnect v0.8.2/go.mod h1:6nAVhwchBJYgQCXD2pHBFQNiJNyAd/wyxljpaa6ZPrY= +cloud.google.com/go/gkehub v0.14.2/go.mod h1:iyjYH23XzAxSdhrbmfoQdePnlMj2EWcvnR+tHdBQsCY= +cloud.google.com/go/gkemulticloud v1.0.1/go.mod h1:AcrGoin6VLKT/fwZEYuqvVominLriQBCKmbjtnbMjG8= +cloud.google.com/go/gsuiteaddons v1.6.2/go.mod h1:K65m9XSgs8hTF3X9nNTPi8IQueljSdYo9F+Mi+s4MyU= +cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE= +cloud.google.com/go/iap v1.9.1/go.mod h1:SIAkY7cGMLohLSdBR25BuIxO+I4fXJiL06IBL7cy/5Q= +cloud.google.com/go/ids v1.4.2/go.mod h1:3vw8DX6YddRu9BncxuzMyWn0g8+ooUjI2gslJ7FH3vk= +cloud.google.com/go/iot v1.7.2/go.mod h1:q+0P5zr1wRFpw7/MOgDXrG/HVA+l+cSwdObffkrpnSg= +cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= +cloud.google.com/go/language v1.11.1/go.mod h1:Xyid9MG9WOX3utvDbpX7j3tXDmmDooMyMDqgUVpH17U= +cloud.google.com/go/lifesciences v0.9.2/go.mod h1:QHEOO4tDzcSAzeJg7s2qwnLM2ji8IRpQl4p6m5Z9yTA= +cloud.google.com/go/logging v1.8.1/go.mod h1:TJjR+SimHwuC8MZ9cjByQulAMgni+RkXeI3wwctHJEI= +cloud.google.com/go/longrunning v0.5.2/go.mod h1:nqo6DQbNV2pXhGDbDMoN2bWz68MjZUzqv2YttZiveCs= +cloud.google.com/go/managedidentities v1.6.2/go.mod h1:5c2VG66eCa0WIq6IylRk3TBW83l161zkFvCj28X7jn8= +cloud.google.com/go/maps v1.4.1/go.mod h1:BxSa0BnW1g2U2gNdbq5zikLlHUuHW0GFWh7sgML2kIY= +cloud.google.com/go/mediatranslation v0.8.2/go.mod h1:c9pUaDRLkgHRx3irYE5ZC8tfXGrMYwNZdmDqKMSfFp8= +cloud.google.com/go/memcache v1.10.2/go.mod h1:f9ZzJHLBrmd4BkguIAa/l/Vle6uTHzHokdnzSWOdQ6A= +cloud.google.com/go/metastore v1.13.1/go.mod h1:IbF62JLxuZmhItCppcIfzBBfUFq0DIB9HPDoLgWrVOU= +cloud.google.com/go/monitoring v1.16.1/go.mod h1:6HsxddR+3y9j+o/cMJH6q/KJ/CBTvM/38L/1m7bTRJ4= +cloud.google.com/go/networkconnectivity v1.14.1/go.mod h1:LyGPXR742uQcDxZ/wv4EI0Vu5N6NKJ77ZYVnDe69Zug= +cloud.google.com/go/networkmanagement v1.9.1/go.mod h1:CCSYgrQQvW73EJawO2QamemYcOb57LvrDdDU51F0mcI= +cloud.google.com/go/networksecurity v0.9.2/go.mod h1:jG0SeAttWzPMUILEHDUvFYdQTl8L/E/KC8iZDj85lEI= +cloud.google.com/go/notebooks v1.10.1/go.mod h1:5PdJc2SgAybE76kFQCWrTfJolCOUQXF97e+gteUUA6A= +cloud.google.com/go/optimization v1.5.1/go.mod h1:NC0gnUD5MWVAF7XLdoYVPmYYVth93Q6BUzqAq3ZwtV8= +cloud.google.com/go/orchestration v1.8.2/go.mod h1:T1cP+6WyTmh6LSZzeUhvGf0uZVmJyTx7t8z7Vg87+A0= +cloud.google.com/go/orgpolicy v1.11.2/go.mod h1:biRDpNwfyytYnmCRWZWxrKF22Nkz9eNVj9zyaBdpm1o= +cloud.google.com/go/osconfig v1.12.2/go.mod h1:eh9GPaMZpI6mEJEuhEjUJmaxvQ3gav+fFEJon1Y8Iw0= +cloud.google.com/go/oslogin v1.11.1/go.mod h1:OhD2icArCVNUxKqtK0mcSmKL7lgr0LVlQz+v9s1ujTg= +cloud.google.com/go/phishingprotection v0.8.2/go.mod h1:LhJ91uyVHEYKSKcMGhOa14zMMWfbEdxG032oT6ECbC8= +cloud.google.com/go/policytroubleshooter v1.9.1/go.mod h1:MYI8i0bCrL8cW+VHN1PoiBTyNZTstCg2WUw2eVC4c4U= +cloud.google.com/go/privatecatalog v0.9.2/go.mod h1:RMA4ATa8IXfzvjrhhK8J6H4wwcztab+oZph3c6WmtFc= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0= +cloud.google.com/go/recaptchaenterprise/v2 v2.8.1/go.mod h1:JZYZJOeZjgSSTGP4uz7NlQ4/d1w5hGmksVgM0lbEij0= +cloud.google.com/go/recommendationengine v0.8.2/go.mod h1:QIybYHPK58qir9CV2ix/re/M//Ty10OxjnnhWdaKS1Y= +cloud.google.com/go/recommender v1.11.1/go.mod h1:sGwFFAyI57v2Hc5LbIj+lTwXipGu9NW015rkaEM5B18= +cloud.google.com/go/redis v1.13.2/go.mod h1:0Hg7pCMXS9uz02q+LoEVl5dNHUkIQv+C/3L76fandSA= +cloud.google.com/go/resourcemanager v1.9.2/go.mod h1:OujkBg1UZg5lX2yIyMo5Vz9O5hf7XQOSV7WxqxxMtQE= +cloud.google.com/go/resourcesettings v1.6.2/go.mod h1:mJIEDd9MobzunWMeniaMp6tzg4I2GvD3TTmPkc8vBXk= +cloud.google.com/go/retail v1.14.2/go.mod h1:W7rrNRChAEChX336QF7bnMxbsjugcOCPU44i5kbLiL8= +cloud.google.com/go/run v1.3.1/go.mod h1:cymddtZOzdwLIAsmS6s+Asl4JoXIDm/K1cpZTxV4Q5s= +cloud.google.com/go/scheduler v1.10.2/go.mod h1:O3jX6HRH5eKCA3FutMw375XHZJudNIKVonSCHv7ropY= +cloud.google.com/go/secretmanager v1.11.2/go.mod h1:MQm4t3deoSub7+WNwiC4/tRYgDBHJgJPvswqQVB1Vss= +cloud.google.com/go/security v1.15.2/go.mod h1:2GVE/v1oixIRHDaClVbHuPcZwAqFM28mXuAKCfMgYIg= +cloud.google.com/go/securitycenter v1.23.1/go.mod h1:w2HV3Mv/yKhbXKwOCu2i8bCuLtNP1IMHuiYQn4HJq5s= +cloud.google.com/go/servicedirectory v1.11.1/go.mod h1:tJywXimEWzNzw9FvtNjsQxxJ3/41jseeILgwU/QLrGI= +cloud.google.com/go/shell v1.7.2/go.mod h1:KqRPKwBV0UyLickMn0+BY1qIyE98kKyI216sH/TuHmc= +cloud.google.com/go/spanner v1.50.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM= +cloud.google.com/go/speech v1.19.1/go.mod h1:WcuaWz/3hOlzPFOVo9DUsblMIHwxP589y6ZMtaG+iAA= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= +cloud.google.com/go/storagetransfer v1.10.1/go.mod h1:rS7Sy0BtPviWYTTJVWCSV4QrbBitgPeuK4/FKa4IdLs= +cloud.google.com/go/talent v1.6.3/go.mod h1:xoDO97Qd4AK43rGjJvyBHMskiEf3KulgYzcH6YWOVoo= +cloud.google.com/go/texttospeech v1.7.2/go.mod h1:VYPT6aTOEl3herQjFHYErTlSZJ4vB00Q2ZTmuVgluD4= +cloud.google.com/go/tpu v1.6.2/go.mod h1:NXh3NDwt71TsPZdtGWgAG5ThDfGd32X1mJ2cMaRlVgU= +cloud.google.com/go/trace v1.10.2/go.mod h1:NPXemMi6MToRFcSxRl2uDnu/qAlAQ3oULUphcHGh1vA= +cloud.google.com/go/translate v1.9.1/go.mod h1:TWIgDZknq2+JD4iRcojgeDtqGEp154HN/uL6hMvylS8= +cloud.google.com/go/video v1.20.1/go.mod h1:3gJS+iDprnj8SY6pe0SwLeC5BUW80NjhwX7INWEuWGU= +cloud.google.com/go/videointelligence v1.11.2/go.mod h1:ocfIGYtIVmIcWk1DsSGOoDiXca4vaZQII1C85qtoplc= +cloud.google.com/go/vision/v2 v2.7.3/go.mod h1:V0IcLCY7W+hpMKXK1JYE0LV5llEqVmj+UJChjvA1WsM= +cloud.google.com/go/vmmigration v1.7.2/go.mod h1:iA2hVj22sm2LLYXGPT1pB63mXHhrH1m/ruux9TwWLd8= +cloud.google.com/go/vmwareengine v1.0.1/go.mod h1:aT3Xsm5sNx0QShk1Jc1B8OddrxAScYLwzVoaiXfdzzk= +cloud.google.com/go/vpcaccess v1.7.2/go.mod h1:mmg/MnRHv+3e8FJUjeSibVFvQF1cCy2MsFaFqxeY1HU= +cloud.google.com/go/webrisk v1.9.2/go.mod h1:pY9kfDgAqxUpDBOrG4w8deLfhvJmejKB0qd/5uQIPBc= +cloud.google.com/go/websecurityscanner v1.6.2/go.mod h1:7YgjuU5tun7Eg2kpKgGnDuEOXWIrh8x8lWrJT4zfmas= +cloud.google.com/go/workflows v1.12.1/go.mod h1:5A95OhD/edtOhQd/O741NSfIMezNTbCwLM1P1tBRGHM= +github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v55.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-autorest/autorest v0.11.6/go.mod h1:V6p3pKZx1KKkJubbxnDWrzNhEIfOy/pTGasLqzHIPHs= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest/adal v0.9.4/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.2/go.mod h1:q98IH4qgc3eWM4/WOeR5+YPmBuy8Lq0jNRDwSM0CuFk= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.1/go.mod h1:JfDgiIO1/RPu6z42AdQTyjOoCM2MFhLqSBDvMEkDgcg= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= +github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-lambda-go v1.41.0/go.mod h1:jwFe2KmMsHmffA1X2R09hH6lFzJQxzI8qK17ewzbQMM= +github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= +github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= +github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= +github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.1/go.mod h1:eD5Eo4drVP2FLTw0G+SMIPWNWvQRGGTtIZR2XeAagoA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= +github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= +github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= +github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04/go.mod h1:Z+bXnIbhKJYSvxNwsNnwde7pDKxuqlEZCbUBoTwAqf0= +github.com/bazelbuild/bazelisk v1.13.2/go.mod h1:jVD8/E7hMAXgWKCljEz8hOV0PZ+nFBgCpjIOJ6Xyzus= +github.com/bazelbuild/rules_go v0.34.0/go.mod h1:MC23Dc/wkXEyk3Wpq6lCqz0ZAYOZDw2DR5y3N1q2i7M= +github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/bmatcuk/doublestar v1.2.1/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE= +github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/cheggaaa/pb/v3 v3.1.4/go.mod h1:6wVjILNBaXMs8c21qRiaUM8BR82erfgau1DQ4iUXmSA= +github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08/go.mod h1:MAuu1uDJNOS3T3ui0qmKdPUwm59+bO19BbTph2wZafE= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cppforlife/cobrautil v0.0.0-20221021151949-d60711905d65/go.mod h1:2w+qxVu2KSGW78Ex/XaIqfh/OvBgjEsmN53S4T8vEyA= +github.com/cppforlife/go-cli-ui v0.0.0-20220425131040-94f26b16bc14/go.mod h1:AlgTssDlstr4mf92TR4DPITLfl5+7wEY4cKStCmeeto= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= +github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/daviddengcn/go-colortext v1.0.0/go.mod h1:zDqEI5NVUop5QPpVJUxE9UO10hRnmkD5G4Pmri9+m4c= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM= +github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= +github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= +github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw= +github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/getkin/kin-openapi v0.81.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gobuffalo/flect v0.2.3/go.mod h1:vmkQwuZYhN5Pc4ljYQZzP+1sq+NEkK+lh20jmEmX3jc= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/cel-go v0.12.7/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= +github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-pkcs11 v0.2.1-0.20230907215043-c6f79328ddf9/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/k14s/semver/v4 v4.0.1-0.20210701191048-266d47ac6115/go.mod h1:mGrnmO5qnhJIaSiwMo05cvRL6Ww9ccYbTgNFcm6RHZQ= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/errcheck v1.6.3/go.mod h1:nXw/i/MfnvRHqXa7XXmQMUB0oNFGuBrNI8d8NLy0LPw= +github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ= +github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/maxbrunsfeld/counterfeiter/v6 v6.7.0/go.mod h1:RVP6/F85JyxTrbJxWIdKU2vlSvK48iCMnMXRkSz7xtg= +github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1/go.mod h1:eyp4DdUJAKkr9tvxR3jWhw2mDK7CWABMG5r9uyaKC7I= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/openshift/build-machinery-go v0.0.0-20230824093055-6a18da01283c/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= +github.com/openshift/generic-admission-server v1.14.1-0.20231020105858-8dcc3c9b298f/go.mod h1:/CLsleDcQ6AFTGKJe9VL3Y4rB9DqX3fQwQv47q2/ZJc= +github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= +github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= +github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.2.0/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= +github.com/vmware-tanzu/carvel-imgpkg v0.36.0 h1:ha5a3WUPaqpGlP+QRkKBA9WyT85vUPh7+57x94Cmj58= +github.com/vmware-tanzu/carvel-imgpkg v0.36.0/go.mod h1:8HeIt+froyx7iRjyZ/4py2wFMPXEFNyWUNUTQgAjD8M= +github.com/vmware-tanzu/carvel-imgpkg v0.38.2/go.mod h1:v9BcO1qfXwwIQFw2zmksdUkx8eI1e+/a0Md3xG2BzDE= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= +go.etcd.io/etcd/api/v3 v3.5.8/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k= +go.etcd.io/etcd/api/v3 v3.5.10/go.mod h1:TidfmT4Uycad3NM/o25fG3J07odo4GBB9hoxaodFCtI= +go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.5.8/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4= +go.etcd.io/etcd/client/pkg/v3 v3.5.10/go.mod h1:DYivfIviIuQ8+/lCq4vcxuseg2P2XbHygkKwFo9fc8U= +go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= +go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= +go.etcd.io/etcd/client/v3 v3.5.8/go.mod h1:idZYIPVkttBJBiRigkB5EM0MmEyx8jcl18zCV3F5noc= +go.etcd.io/etcd/client/v3 v3.5.10/go.mod h1:RVeBnDz2PUEZqTpgqwAtUd8nAPf5kjyFyND7P1VkOKc= +go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= +go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= +go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib v0.20.0 h1:ubFQUn0VCZ0gPwIoJfBJVpeBlyRMxu8Mm/huKWYd9p0= +go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= +go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= +go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= +go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= +go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= +go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= +go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= +go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220325203850-36772127a21f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= +gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= +google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= +google.golang.org/api v0.189.0/go.mod h1:FLWGJKb0hb+pU2j+rJqwbnsF+ym+fQs73rbJ+KAUgy8= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= +google.golang.org/genproto v0.0.0-20240722135656-d784300faade/go.mod h1:FfBgJBJg9GcpPvKIuHSZ/aE1g2ecGL74upMzGZjiGEY= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20231030173426-d783a09b4405/go.mod h1:GRUCuLdzVqZte8+Dl/D4N25yLzcGqqWaYkeVOwulFqw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= +k8s.io/apiextensions-apiserver v0.27.7/go.mod h1:x0p+b5a955lfPz9gaDeBy43obM12s+N9dNHK6+dUL+g= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +k8s.io/apimachinery v0.24.3/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= +k8s.io/apiserver v0.25.6/go.mod h1:IEp2B2/FvQ8GmdspscUoUS0iFF/GGc6NVrJ/cTM4OaA= +k8s.io/apiserver v0.27.7/go.mod h1:OrLG9RwCOerutAlo8QJW5EHzUG9Dad7k6rgcDUNSO/w= +k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM= +k8s.io/code-generator v0.17.2/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/code-generator v0.25.6/go.mod h1:aDxzxJynLKQkaa117y0FFcgZ5jG8+GobxZ2JUntmvKk= +k8s.io/code-generator v0.27.7/go.mod h1:w1YF/xQcTg+d9Ag+04xuRqER+q8rDnJ70ynLql8/RLA= +k8s.io/code-generator v0.30.3/go.mod h1:PFgBiv+miFV7TZYp+RXgROkhA+sWYZ+mtpbMLofMke8= +k8s.io/component-base v0.28.6 h1:G4T8VrcQ7xZou3by/fY5NU5mfxOBlWaivS2lPrEltAo= +k8s.io/component-base v0.28.6/go.mod h1:Dg62OOG3ALu2P4nAG00UdsuHoNLQJ5VsUZKQlLDcS+E= +k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= +k8s.io/component-helpers v0.29.0/go.mod h1:j2coxVfmzTOXWSE6sta0MTgNSr572Dcx68F6DD+8fWc= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kms v0.27.7/go.mod h1:JspOc8g6+cDlZfgW5GqnHS+OV6tAVyg4iXytCrqfNPw= +k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= +k8s.io/kube-aggregator v0.22.17/go.mod h1:J557nueFVurHA1JiDrxT1HlgygNQ+2exsTVUXiz2T7k= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/metrics v0.29.0/go.mod h1:UCuTT4dC/x/x6ODSk87IWIZQnuAfcwxOjb1gjWJdjMA= +k8s.io/metrics v0.30.3/go.mod h1:W06L2nXRhOwPkFYDJYWdEIS3u6JcJy3ebIPYbndRs6A= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +mvdan.cc/sh/v3 v3.5.1/go.mod h1:1JcoyAKm1lZw/2bZje/iYKWicU/KMd0rsyJeKHnsK4E= +mvdan.cc/sh/v3 v3.7.0/go.mod h1:K2gwkaesF/D7av7Kxl0HbF5kGOd2ArupNTX3X44+8l8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35/go.mod h1:WxjusMwXlKzfAs4p9km6XJRndVt2FROgMVCE4cdohFo= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= +sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.15.3/go.mod h1:kp4jckA4vTx281S/0Yk2LFEEQe67mjg+ev/yknv47Ds= +sigs.k8s.io/controller-tools v0.7.0/go.mod h1:bpBAo0VcSDDLuWt47evLhMLPxRPxMDInTEH/YbdeMK0= +sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= +sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3/go.mod h1:/d88dHCvoy7d0AKFT0yytezSGZKjsZBVs9YTkBHSGFk= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/lookup-service/Dockerfile b/lookup-service/Dockerfile new file mode 100644 index 000000000..0f4752279 --- /dev/null +++ b/lookup-service/Dockerfile @@ -0,0 +1,39 @@ +FROM fedora:39 + +RUN INSTALL_PKGS=" \ + findutils \ + gcc \ + glibc-langpack-en \ + procps \ + python3-devel \ + python3-pip \ + redhat-rpm-config \ + which \ + " && \ + dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ + dnf clean -y --enablerepo='*' all && \ + useradd -u 1001 -g 0 -M -d /opt/app-root/src default && \ + mkdir -p /opt/app-root/src && \ + chown -R 1001:0 /opt/app-root + +WORKDIR /opt/app-root/src + +ENV PYTHONUNBUFFERED=1 \ + PYTHONIOENCODING=UTF-8 \ + LC_ALL=en_US.UTF-8 \ + LANG=en_US.UTF-8 + +USER 1001 + +COPY --chown=1001:0 requirements.txt /opt/app-root/requirements.txt + +ENV PATH=/opt/app-root/bin:/opt/app-root/venv/bin:$PATH + +RUN python3 -m venv /opt/app-root/venv && \ + . /opt/app-root/venv/bin/activate && \ + pip install --no-cache-dir -U pip setuptools wheel && \ + pip install --no-cache-dir -r /opt/app-root/requirements.txt + +COPY --chown=1001:0 ./ /opt/app-root/src + +CMD [ "/opt/app-root/src/start-service.sh" ] diff --git a/lookup-service/README.md b/lookup-service/README.md new file mode 100644 index 000000000..d6bc49e3e --- /dev/null +++ b/lookup-service/README.md @@ -0,0 +1,6 @@ +Lookup Service +============== + +This directory holds the source code for the Educates lookup service. It +provides a high level REST API for accessing workshops, where workshops may +be spread across one or more training portals, including across clusters. diff --git a/lookup-service/requirements.txt b/lookup-service/requirements.txt new file mode 100644 index 000000000..bba9a5eeb --- /dev/null +++ b/lookup-service/requirements.txt @@ -0,0 +1,7 @@ +kopf[full-auth]==1.37.2 +bcrypt==4.1.3 +aiohttp==3.10.2 +PyYAML==6.0.1 +pykube-ng==23.6.0 +wrapt==1.16.0 +PyJWT==2.8.0 diff --git a/lookup-service/service/__init__.py b/lookup-service/service/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/lookup-service/service/caches/__init__.py b/lookup-service/service/caches/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/lookup-service/service/caches/clients.py b/lookup-service/service/caches/clients.py new file mode 100644 index 000000000..64eb6ca1d --- /dev/null +++ b/lookup-service/service/caches/clients.py @@ -0,0 +1,60 @@ +"""Configuration for clients of the service.""" + +import fnmatch +from dataclasses import dataclass +from typing import List, Set + + +@dataclass +class ClientConfig: + """Configuration object for a client of the service.""" + + name: str + uid: str + issue: int + password: str + user: str + tenants: List[str] + roles: List[str] + + @property + def identity(self) -> str: + """Return the identity of the client.""" + + return f"client@educates:{self.uid}#{self.issue}" + + def revoke_tokens(self) -> None: + """Revoke all tokens issued to the client.""" + + self.issue += 1 + + def check_password(self, password: str) -> bool: + """Checks the password provided against the client's password.""" + + return self.password == password + + def validate_identity(self, identity: str) -> bool: + """Validate the identity provided against the client's identity.""" + + return self.identity == identity + + def has_required_role(self, *roles: str) -> Set: + """Check if the client has any of the roles provided. We return back a + set containing the roles that matched.""" + + matched_roles = set() + + for role in roles: + if role in self.roles: + matched_roles.add(role) + + return matched_roles + + def allowed_access_to_tenant(self, tenant: str) -> bool: + """Check if the client has access to the tenant.""" + + for pattern in self.tenants: + if fnmatch.fnmatch(tenant, pattern): + return True + + return False diff --git a/lookup-service/service/caches/clusters.py b/lookup-service/service/caches/clusters.py new file mode 100644 index 000000000..1dfa11ac4 --- /dev/null +++ b/lookup-service/service/caches/clusters.py @@ -0,0 +1,48 @@ +"""Configuration for target clusters.""" + +from dataclasses import dataclass +from typing import TYPE_CHECKING, Any, Dict, List + +if TYPE_CHECKING: + from .portals import TrainingPortal + + +@dataclass +class ClusterConfig: + """Configuration object for a target cluster. This includes a database of + the training portals hosted on the cluster.""" + + name: str + uid: str + labels: List[Dict[str, str]] + kubeconfig: Dict[str, Any] + portals: Dict[str, "TrainingPortal"] + + def __init__( + self, name: str, uid: str, labels: List[Dict[str, str]], kubeconfig: Dict[str, Any] + ): + self.name = name + self.uid = uid + self.labels = labels + self.kubeconfig = kubeconfig + self.portals = {} + + def add_portal(self, portal: "TrainingPortal") -> None: + """Add a portal to the cluster.""" + + self.portals[portal.name] = portal + + def remove_portal(self, name: str) -> None: + """Remove a portal from the cluster.""" + + self.portals.pop(name, None) + + def get_portals(self) -> List["TrainingPortal"]: + """Retrieve a list of portals from the cluster.""" + + return list(self.portals.values()) + + def get_portal(self, name: str) -> "TrainingPortal": + """Retrieve a portal from the cluster by name.""" + + return self.portals.get(name) diff --git a/lookup-service/service/caches/databases.py b/lookup-service/service/caches/databases.py new file mode 100644 index 000000000..2dd376889 --- /dev/null +++ b/lookup-service/service/caches/databases.py @@ -0,0 +1,126 @@ +"""Database classes for storing state of everything.""" + +from dataclasses import dataclass +from typing import TYPE_CHECKING, Dict, List + +if TYPE_CHECKING: + from .clients import ClientConfig + from .clusters import ClusterConfig + from .tenants import TenantConfig + + +@dataclass +class ClientDatabase: + """Database for storing client configurations. Clients are stored in a + dictionary with the client's name as the key and the client configuration + object as the value.""" + + clients: Dict[str, "ClientConfig"] + + def __init__(self) -> None: + self.clients = {} + + def update_client(self, client: "ClientConfig") -> None: + """Update the client in the database. If the client does not exist in + the database, it will be added.""" + + self.clients[client.name] = client + + def remove_client(self, name: str) -> None: + """Remove a client from the database.""" + + self.clients.pop(name, None) + + def get_clients(self) -> List["ClientConfig"]: + """Retrieve a list of clients from the database.""" + + return list(self.clients.values()) + + def get_client(self, name: str) -> "ClientConfig": + """Retrieve a client from the database by name.""" + + return self.clients.get(name) + + def authenticate_client(self, name: str, password: str) -> str | None: + """Validate a client's credentials. Returning the the client if + the credentials are valid.""" + + client = self.get_client(name) + + if client is None: + return + + if client.check_password(password): + return client + + +@dataclass +class TenantDatabase: + """Database for storing tenant configurations. Tenants are stored in a + dictionary with the tenant's name as the key and the tenant configuration + object as the value.""" + + tenants: Dict[str, "TenantConfig"] + + def __init__(self): + self.tenants = {} + + def update_tenant(self, tenant: "TenantConfig") -> None: + """Update the tenant in the database. If the tenant does not exist in + the database, it will be added.""" + + self.tenants[tenant.name] = tenant + + def remove_tenant(self, name: str) -> None: + """Remove a tenant from the database.""" + + self.tenants.pop(name, None) + + def get_tenants(self) -> List["TenantConfig"]: + """Retrieve a list of tenants from the database.""" + + return list(self.tenants.values()) + + def get_tenant(self, name: str) -> "TenantConfig": + """Retrieve a tenant from the database by name.""" + + return self.tenants.get(name) + + +@dataclass +class ClusterDatabase: + """Database for storing cluster configurations. Clusters are stored in a + dictionary with the cluster's name as the key and the cluster configuration + object as the value.""" + + clusters: Dict[str, "ClusterConfig"] + + def __init__(self) -> None: + self.clusters = {} + + def add_cluster(self, cluster: "ClusterConfig") -> None: + """Add the cluster to the database.""" + + self.clusters[cluster.name] = cluster + + def remove_cluster(self, name: str) -> None: + """Remove a cluster from the database.""" + + self.clusters.pop(name, None) + + def get_clusters(self) -> List["ClusterConfig"]: + """Retrieve a list of clusters from the database.""" + + return list(self.clusters.values()) + + def get_cluster(self, name: str) -> "ClusterConfig": + """Retrieve a cluster from the database by name.""" + + return self.clusters.get(name) + + +# Create the database instances. + +client_database = ClientDatabase() +tenant_database = TenantDatabase() +cluster_database = ClusterDatabase() diff --git a/lookup-service/service/caches/environments.py b/lookup-service/service/caches/environments.py new file mode 100644 index 000000000..929be22bd --- /dev/null +++ b/lookup-service/service/caches/environments.py @@ -0,0 +1,129 @@ +"""Configuration for workshop environments.""" + +import logging +from dataclasses import dataclass +from typing import TYPE_CHECKING, Dict, List + +from aiohttp import ClientSession +from wrapt import synchronized + +if TYPE_CHECKING: + from .portals import TrainingPortal + from .sessions import WorkshopSession + +logger = logging.getLogger("educates") + + +@dataclass +class WorkshopEnvironment: + """Snapshot of workshop environment state. This includes a database of + the workshop sessions created from the workshop environment.""" + + portal: "TrainingPortal" + name: str + uid: str + generation: int + workshop: str + title: str + description: str + labels: List[Dict[str, str]] + capacity: int + reserved: int + allocated: int + available: int + phase: str + sessions: Dict[str, "WorkshopSession"] + + def __init__( + self, + portal: "TrainingPortal", + name: str, + uid: str, + generation: int, + workshop: str, + title: str, + description: str, + labels: List[Dict[str, str]], + capacity: int, + reserved: int, + allocated: int, + available: int, + phase: str, + ) -> None: + self.portal = portal + self.name = name + self.uid = uid + self.generation = generation + self.workshop = workshop + self.title = title + self.description = description + self.labels = labels + self.capacity = capacity + self.reserved = reserved + self.allocated = allocated + self.available = available + self.phase = phase + self.sessions = {} + + def get_sessions(self) -> Dict[str, "WorkshopSession"]: + """Returns all workshop sessions.""" + + return list(self.sessions.values()) + + def get_session(self, session_name: str) -> "WorkshopSession": + """Returns a workshop session by name.""" + + return self.sessions.get(session_name) + + def add_session(self, session: "WorkshopSession") -> None: + """Add a session to the environment.""" + + self.sessions[session.name] = session + + def remove_session(self, session_name: str) -> None: + """Remove a session from the environment.""" + + self.sessions.pop(session_name, None) + + @synchronized + def recalculate_capacity(self) -> None: + """Recalculate the available capacity of the environment.""" + + allocated = 0 + available = 0 + + for session in list(self.sessions.values()): + if session.phase == "Allocated": + allocated += 1 + elif session.phase == "Available": + available += 1 + + self.allocated = allocated + self.available = available + + logger.info( + "Recalculated capacity for environment %s of portal %s in cluster %s: %s", + self.name, + self.portal.name, + self.portal.cluster.name, + {"allocated": allocated, "available": available}, + ) + + async def request_workshop_session( + self, user_id: str, parameters: List[Dict[str, str]], index_url: str + ) -> Dict[str, str] | None: + """Request a workshop session for a user.""" + + portal = self.portal + + async with ClientSession() as http_client: + async with portal.client_session(http_client) as portal_client: + if not portal_client.connected: + return + + return await portal_client.request_workshop_session( + environment_name=self.name, + user_id=user_id, + parameters=parameters, + index_url=index_url, + ) diff --git a/lookup-service/service/caches/portals.py b/lookup-service/service/caches/portals.py new file mode 100644 index 000000000..675dce1eb --- /dev/null +++ b/lookup-service/service/caches/portals.py @@ -0,0 +1,368 @@ +"""Configuration database for training portals.""" + +import logging +from dataclasses import dataclass +from typing import TYPE_CHECKING, Dict, List, Tuple, Union + +from aiohttp import BasicAuth, ClientSession, ClientConnectorError + +from .clusters import ClusterConfig + +if TYPE_CHECKING: + from .environments import WorkshopEnvironment + from .sessions import WorkshopSession + + +logger = logging.getLogger("educates") + + +@dataclass +class PortalCredentials: + """Configuration object for a portal's authentication.""" + + client_id: str + client_secret: str + username: str + password: str + + +@dataclass +class TrainingPortal: + """Snapshot of training portal state. This includes a database of the + workshop environments managed by the training portal.""" + + cluster: ClusterConfig + name: str + uid: str + generation: int + labels: List[Dict[str, str]] + url: str + credentials: PortalCredentials + phase: str + capacity: int + allocated: int + environments: Dict[str, "WorkshopEnvironment"] + + def __init__( + self, + cluster: ClusterConfig, + name: str, + uid: str, + generation: int, + labels: List[Dict[str, str]], + url: str, + credentials: PortalCredentials, + phase: str, + capacity: int, + allocated: int, + ) -> None: + self.cluster = cluster + self.name = name + self.uid = uid + self.generation = generation + self.labels = labels + self.url = url + self.credentials = credentials + self.phase = phase + self.capacity = capacity + self.allocated = allocated + self.environments = {} + + def get_environments(self) -> List["WorkshopEnvironment"]: + """Returns all workshop environments.""" + + return list(self.environments.values()) + + def get_running_environments(self) -> List["WorkshopEnvironment"]: + """Returns all running workshop environments.""" + + return [ + environment + for environment in self.environments.values() + if environment.phase == "Running" + ] + + def get_environment(self, environment_name: str) -> "WorkshopEnvironment": + """Returns a workshop environment by name.""" + + return self.environments.get(environment_name) + + def add_environment(self, environment: "WorkshopEnvironment") -> None: + """Add a workshop environment to the portal.""" + + self.environments[environment.name] = environment + + def remove_environment(self, environment_name: str) -> None: + """Remove a workshop environment from the portal.""" + + self.environments.pop(environment_name, None) + + def hosts_workshop(self, workshop_name: str) -> bool: + """Check if the portal hosts a workshop.""" + + for environment in self.environments.values(): + if environment.workshop == workshop_name: + return True + + return False + + def recalculate_capacity(self) -> None: + """Recalculate the capacity of the portal.""" + + for environment in self.environments.values(): + environment.recalculate_capacity() + + self.allocated = sum( + environment.allocated for environment in self.environments.values() + ) + + logger.info( + "Recalculated capacity for portal %s in cluster %s: %s", + self.name, + self.cluster.name, + {"allocated": self.allocated, "capacity": self.capacity}, + ) + + def find_existing_workshop_session_for_user( + self, user_id: str, workshop_name: str + ) -> Union["WorkshopSession", None]: + """Find an existing workshop session for a user.""" + + for environment in self.environments.values(): + for session in environment.get_sessions(): + if ( + session.user == user_id + and session.environment.workshop == workshop_name + ): + return session + + return None + + def client_session(self, session: ClientSession) -> "TrainingPortalClientSession": + """Create a HTTP client session for accessing the remote training + portal.""" + + return TrainingPortalClientSession(self, session) + + +@dataclass +class TrainingPortalClientSession: + """HTTP client session for accessing the remote training portal.""" + + portal: TrainingPortal + session: ClientSession + access_token: str | None + + def __init__(self, portal: TrainingPortal, session: ClientSession) -> None: + self.portal = portal + self.session = session + self.access_token = None + + async def __aenter__(self) -> "TrainingPortalClientSession": + """Login to the portal service.""" + + await self.login() + + return self + + async def __aexit__(self, exc_type, exc_value, traceback) -> None: + """Logout from the portal service.""" + + await self.logout() + + @property + def connected(self): + """Check if the client session is connected.""" + + return bool(self.access_token) + + async def login(self) -> bool: + """Login to the portal service .""" + + try: + async with self.session.post( + f"{self.portal.url}/oauth2/token/", + data={ + "grant_type": "password", + "username": self.portal.credentials.username, + "password": self.portal.credentials.password, + }, + auth=BasicAuth( + self.portal.credentials.client_id, + self.portal.credentials.client_secret, + ), + ) as response: + if response.status != 200: + logger.error( + "Failed to login to portal %s of cluster %s.", + self.portal.name, + self.portal.cluster.name, + ) + + return False + + data = await response.json() + + self.access_token = data.get("access_token") + + return True + + except ClientConnectorError as exc: + logger.error( + "Failed to connect to portal %s of cluster %s when attempting to login: %s", + self.portal.name, + self.portal.cluster.name, + exc, + ) + + return False + + async def logout(self) -> None: + """Logout from the portal service.""" + + if not self.connected: + return + + try: + async with self.session.post( + f"{self.portal.url}/oauth2/revoke-token/", + data={ + "client_id": self.portal.credentials.client_id, + "client_secret": self.portal.credentials.client_secret, + "token": self.access_token, + }, + ) as response: + if response.status != 200: + logger.error( + "Failed to logout from portal %s of cluster %s.", + self.portal.name, + self.portal.cluster.name, + ) + + except ClientConnectorError as exc: + logger.error( + "Failed to connect to portal %s of cluster %s when attempting to logout: %s", + self.portal.name, + self.portal.cluster.name, + exc, + ) + + async def reacquire_workshop_session( + self, user_id: str, environment_name: str, session_name: str, index_url: str + ) -> Dict[str, str] | None: + """Reacquire a workshop session for a user.""" + + if not self.connected: + return + + if not session_name: + return + + headers = {"Authorization": f"Bearer {self.access_token}"} + + try: + async with self.session.get( + f"{self.portal.url}/workshops/environment/{environment_name}/request/", + headers=headers, + params={ + "index_url": index_url, + "user": user_id, + "session": session_name, + }, + ) as response: + if response.status != 200: + logger.error( + "Failed to reacquire session %s from portal %s of cluster %s for user %s.", + session_name, + self.portal.name, + self.portal.cluster.name, + user_id, + ) + logger.error("Failed response status: %s", response.status) + logger.error("Failed response text: %s", await response.text()) + + return + + data = await response.json() + + url = data.get("url") + + if url: + return { + "clusterName": self.portal.cluster.name, + "portalName": self.portal.name, + "environmentName": environment_name, + "sessionName": session_name, + "clientUserId": user_id, + "sessionActivationUrl": f"{self.portal.url}{url}", + } + + except ClientConnectorError as exc: + logger.error( + "Failed to connect to portal %s of cluster %s when attempting to reacquire session %s for user %s: %s", # pylint: disable=line-too-long + self.portal.name, + self.portal.cluster.name, + session_name, + user_id, + exc, + ) + + async def request_workshop_session( + self, + environment_name: str, + user_id: str, + parameters: List[Dict[str, str]], + index_url: str, + ) -> Dict[str, str] | None: + """Request a workshop session for a user.""" + + if not self.connected: + return + + headers = {"Authorization": f"Bearer {self.access_token}"} + + try: + async with self.session.get( + f"{self.portal.url}/workshops/environment/{environment_name}/request/", + headers=headers, + params={ + "user": user_id, + "index_url": index_url, + }, + json={"parameters": parameters}, + ) as response: + if response.status != 200: + logger.error( + "Failed to request session from portal %s of cluster %s for user %s.", + self.portal.name, + self.portal.cluster.name, + user_id, + ) + logger.error("Failed response status: %s", response.status) + logger.error("Failed response text: %s", await response.text()) + + return + + data = await response.json() + + url = data.get("url") + session_name = data.get("name") + + if url: + return { + "clusterName": self.portal.cluster.name, + "portalName": self.portal.name, + "environmentName": environment_name, + "sessionName": session_name, + "clientUserId": user_id, + "sessionActivationUrl": f"{self.portal.url}{url}", + } + + except ClientConnectorError as exc: + logger.error( + "Failed to connect to portal %s of cluster %s when attempting to request session for user %s: %s", # pylint: disable=line-too-long + self.portal.name, + self.portal.cluster.name, + user_id, + exc, + ) diff --git a/lookup-service/service/caches/sessions.py b/lookup-service/service/caches/sessions.py new file mode 100644 index 000000000..96b2abc89 --- /dev/null +++ b/lookup-service/service/caches/sessions.py @@ -0,0 +1,37 @@ +"""Model objects for workshop sessions.""" + +from dataclasses import dataclass +from typing import TYPE_CHECKING, Dict + +from aiohttp import ClientSession + +if TYPE_CHECKING: + from .environments import WorkshopEnvironment + + +@dataclass +class WorkshopSession: + """Snapshot of workshop session state.""" + + environment: "WorkshopEnvironment" + name: str + generation: int + phase: str + user: str + + async def reacquire_workshop_session(self, index_url: str) -> Dict[str, str] | None: + """Reacquire a workshop session for a user.""" + + portal = self.environment.portal + + async with ClientSession() as http_client: + async with portal.client_session(http_client) as portal_client: + if not portal_client.connected: + return + + return await portal_client.reacquire_workshop_session( + self.user, + environment_name=self.environment.name, + session_name=self.name, + index_url=index_url, + ) diff --git a/lookup-service/service/caches/tenants.py b/lookup-service/service/caches/tenants.py new file mode 100644 index 000000000..aa69cdfe9 --- /dev/null +++ b/lookup-service/service/caches/tenants.py @@ -0,0 +1,74 @@ +"""Configuration database for training plaform tenants.""" + +from dataclasses import dataclass +from typing import Any, Dict, List + +from ..helpers.selectors import ResourceSelector +from .clusters import ClusterConfig +from .databases import cluster_database +from .portals import TrainingPortal + + +@dataclass +class TenantConfig: + """Configuration object for a tenant of the training platform.""" + + name: str + clusters: ResourceSelector + portals: ResourceSelector + + def __init__(self, name: str, clusters: Dict[str, Any], portals: Dict[str, Any]): + self.name = name + self.clusters = ResourceSelector(clusters) + self.portals = ResourceSelector(portals) + + def allowed_access_to_cluster(self, cluster: ClusterConfig) -> bool: + """Check if the tenant has access to the cluster.""" + + # Fake up a resource metadata object for the cluster. + + resource = { + "metadata": { + "name": cluster.name, + "uid": cluster.uid, + "labels": { + item["name"]: item["value"] for item in list(cluster.labels) + }, + }, + } + + return self.clusters.match_resource(resource) + + def allowed_access_to_portal(self, portal: TrainingPortal) -> bool: + """Check if the tenant has access to the portal.""" + + # Fake up a resource metadata object for the portal. + + resource = { + "metadata": { + "name": portal.name, + "uid": portal.uid, + "labels": {item["name"]: item["value"] for item in list(portal.labels)}, + }, + } + + return self.portals.match_resource(resource) + + def portals_which_are_accessible(self) -> List[TrainingPortal]: + """Retrieve a list of training portals accessible by a tenant.""" + + # Get the list of clusters and portals that match the tenant's rules. + # To do this we iterate over all the portals and for each portal we then + # check the cluster it belongs to against the tenant's cluster rules. + # If the portal's cluster matches the tenant's cluster rules, we then + # check the portal itself against the tenant's portal rules. + + accessible_portals = [] + + for cluster in cluster_database.get_clusters(): + if self.allowed_access_to_cluster(cluster): + for portal in cluster.get_portals(): + if self.allowed_access_to_portal(portal): + accessible_portals.append(portal) + + return accessible_portals diff --git a/lookup-service/service/config.py b/lookup-service/service/config.py new file mode 100644 index 000000000..4b906e43b --- /dev/null +++ b/lookup-service/service/config.py @@ -0,0 +1,36 @@ +"""Configuration for the lookup service.""" + +import functools +import random + + +@functools.lru_cache(maxsize=1) +def jwt_token_secret() -> str: + """Return the application secret key used to sign the JWT tokens. If we are + running inside a Kubernetes cluster, we use the in-cluster Kubernetes access + token as the secret key. Otherwise, we generate a random secret key. The + result is cached to avoid regenerating the secret key for each request. This + means that for randomly generated keys, the key will be the same for the + life of the process. In the case of running in a Kubernetes cluster, the + secret key will be the same for the life of the container the process runs + in, with subsequent instances of the container using the same secret key, + so long as the Kubernetes access token doesn't rotated. When the pod is + restarted after the Kubernetes access token has rotated, a new secret key + will be generated and clients will need to login again. + """ + + # Check if we are running inside a Kubernetes cluster and if we are, use the + # Kubernetes access token as the secret key. + + try: + with open( + "/var/run/secrets/kubernetes.io/serviceaccount/token", encoding="utf-8" + ) as f: + return f.read() + + except FileNotFoundError: + # Generate a random secret key using random.choice() to select from a + # string of characters. + + characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + return "".join(random.choice(characters) for _ in range(64)) diff --git a/lookup-service/service/handlers/__init__.py b/lookup-service/service/handlers/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/lookup-service/service/handlers/clients.py b/lookup-service/service/handlers/clients.py new file mode 100644 index 000000000..8201ab041 --- /dev/null +++ b/lookup-service/service/handlers/clients.py @@ -0,0 +1,71 @@ +"""Operator handlers for client configuration resources.""" + +import logging +from typing import Any, Dict + +import kopf + +from ..caches.clients import ClientConfig +from ..helpers.objects import xgetattr +from ..service import ServiceState + +logger = logging.getLogger("educates") + + +@kopf.on.resume("clientconfigs.lookup.educates.dev") +@kopf.on.create("clientconfigs.lookup.educates.dev") +@kopf.on.update("clientconfigs.lookup.educates.dev") +def clientconfigs_update( + name: str, meta: kopf.Meta, spec: kopf.Spec, memo: ServiceState, reason: str, **_ +) -> Dict[str, Any]: + """Add the client configuration to the client database.""" + + generation = meta["generation"] + + client_name = name + + client_uid = xgetattr(meta, "uid") + client_password = xgetattr(spec, "client.password") + client_user = xgetattr(spec, "user") + client_tenants = xgetattr(spec, "tenants", []) + client_roles = xgetattr(spec, "roles", []) + + logger.info( + "%s client configuration %r with generation %s.", + (reason == "update") and "Update" or "Register", + name, + generation, + ) + + client_database = memo.client_database + + client_database.update_client( + ClientConfig( + name=client_name, + uid=client_uid, + issue=1, + password=client_password, + user=client_user, + tenants=client_tenants, + roles=client_roles, + ) + ) + + return {} + + +@kopf.on.delete("clientconfigs.lookup.educates.dev") +def clientconfigs_delete(name: str, meta: kopf.Meta, memo: ServiceState, **_) -> None: + """Remove the client configuration from the client database.""" + + generation = meta["generation"] + + client_database = memo.client_database + + client_name = name + + logger.info( + "Discard client configuration %r with generation %s.", client_name, generation + ) + + client_database.remove_client(client_name) diff --git a/lookup-service/service/handlers/clusters.py b/lookup-service/service/handlers/clusters.py new file mode 100644 index 000000000..c9cdebd84 --- /dev/null +++ b/lookup-service/service/handlers/clusters.py @@ -0,0 +1,655 @@ +"""Operator handlers for cluster configuration resources.""" + +import asyncio +import base64 +import logging +from typing import Any, Dict + +import kopf +import yaml +from wrapt import synchronized + +from ..caches.clusters import ClusterConfig +from ..caches.environments import WorkshopEnvironment +from ..caches.portals import PortalCredentials, TrainingPortal +from ..caches.sessions import WorkshopSession +from ..helpers.kubeconfig import ( + create_kubeconfig_from_access_token_secret, + extract_context_from_kubeconfig, + verify_kubeconfig_format, +) +from ..helpers.objects import xgetattr +from ..helpers.operator import GenericOperator +from ..service import ServiceState + +logger = logging.getLogger("educates") + + +@kopf.index("secrets", when=lambda body, **_: body.get("type") == "Opaque") +def secrets_index(namespace: str, name: str, body: kopf.Body, **_) -> dict: + """Keeps an index of secret data by namespace and name. This is so we can + easily retrieve the kubeconfig data for each cluster when starting the + training platform operator.""" + + # Note that under normal circumstances only a single namespace should be + # monitored, thus we are not caching secrets from the whole cluster but + # only where the operator is deployed. This is to avoid potential security + # issues and memory bloat from caching secrets from the whole cluster. + + return {(namespace, name): xgetattr(body, "data", {})} + + +@kopf.on.resume("clusterconfigs.lookup.educates.dev") +@kopf.on.create("clusterconfigs.lookup.educates.dev") +@kopf.on.update("clusterconfigs.lookup.educates.dev") +def clusterconfigs_update( + namespace: str, + name: str, + uid: str, + meta: kopf.Meta, + spec: kopf.Spec, + secrets_index: Dict[str, Any], + memo: ServiceState, + retry: int, + **_, +): # pylint: disable=redefined-outer-name + """Add the cluster configuration to the cluster database.""" + + generation = meta.get("generation") + + # We need to cache the kubeconfig data. This can be provided in a separate + # secret or it can be read from a mounted secret for the case of the local + # cluster. + + secret_ref_name = xgetattr(spec, "credentials.kubeconfig.secretRef.name") + + if secret_ref_name is not None: + config_key = xgetattr(spec, "credentials.kubeconfig.secretRef.key", "config") + + # Make sure the secret holding the kubeconfig has been seen already and + # that the key for the kubeconfig file is present in the data. + + if (namespace, secret_ref_name) not in secrets_index: + raise kopf.TemporaryError( + f"Secret {secret_ref_name} required for cluster configuration {name} not found.", + delay=5, + ) + + cluster_config_data, *_ = secrets_index[(namespace, secret_ref_name)] + + if config_key not in cluster_config_data: + raise kopf.TemporaryError( + f"Key {config_key} not found in secret {secret_ref_name} required for cluster configuration {name}.", # pylint: disable=line-too-long + delay=5 if not retry else 15, + ) + + # Decode the base64 encoded kubeconfig data and load it as a yaml + # document. + + try: + kubeconfig = yaml.safe_load( + base64.b64decode( + xgetattr(cluster_config_data, config_key, "").encode("UTF-8") + ) + ) + except yaml.YAMLError as exc: + raise kopf.TemporaryError( + f"Failed to load kubeconfig data from secret {secret_ref_name} required for cluster configuration {name}.", # pylint: disable=line-too-long + delay=5 if not retry else 15, + ) from exc + + try: + verify_kubeconfig_format(kubeconfig) + except ValueError as exc: + raise kopf.TemporaryError( + f"Invalid kubeconfig data in secret {secret_ref_name} required for cluster configuration {name}.", # pylint: disable=line-too-long + delay=5 if not retry else 15, + ) from exc + + # Extract only the context from the kubeconfig file that is required + # for the cluster configuration. + + try: + kubeconfig = extract_context_from_kubeconfig( + kubeconfig, xgetattr(spec, "credentials.kubeconfig.context") + ) + except ValueError as exc: + raise kopf.TemporaryError( + f"Failed to extract kubeconfig context from secret {secret_ref_name} required for cluster configuration {name}.", # pylint: disable=line-too-long + delay=5 if not retry else 15, + ) from exc + + else: + # For the local cluster, we access credentials for accessing the cluster + # from a mounted Kubernetes access token secret. Note that we do not + # know the external URL of the local cluster, so we use the internal + # Kubernetes service URL. This will need to be replaced if the + # kubeconfig is used for accessing the cluster from outside the cluster. + + server = "https://kubernetes.default.svc" + + # TODO: Make the path to the access token secret configurable. + + kubeconfig = create_kubeconfig_from_access_token_secret( + "/opt/cluster-access-token", name, server + ) + + # Update the cluster configuration in the cluster database. + + cluster_database = memo.cluster_database + + with synchronized(cluster_database): + cluster_config = cluster_database.get_cluster(name) + + if not cluster_config: + logger.info( + "Registering cluster configuration %r with generation %s.", + name, + generation, + ) + + cluster_database.add_cluster( + ClusterConfig( + name=name, + uid=uid, + labels=xgetattr(spec, "labels", []), + kubeconfig=kubeconfig, + ) + ) + + else: + logger.info( + "Updating cluster configuration %r with generation %s.", + name, + generation, + ) + + cluster_config.labels = xgetattr(spec, "labels", []) + cluster_config.kubeconfig = kubeconfig + + +@kopf.on.delete("clusterconfigs.lookup.educates.dev") +def clusterconfigs_delete(name: str, meta: kopf.Meta, memo: ServiceState, **_): + """Remove the cluster configuration from the cluster database.""" + + generation = meta.get("generation") + + cluster_database = memo.cluster_database + + logger.info("Delete cluster configuration %r with generation %s", name, generation) + + cluster_database.remove_cluster(name) + + +class ClusterOperator(GenericOperator): + """Operator for interacting with training platform on separate cluster.""" + + def __init__(self, cluster_name: str, service_state: ServiceState) -> None: + """Initializes the operator.""" + + super().__init__(cluster_name, service_state=service_state) + + def register_handlers(self) -> None: + """Register the handlers for the training platform operator.""" + + @kopf.on.event( + "trainingportals.training.educates.dev", + registry=self.operator_registry, + ) + async def trainingportals_event(event: kopf.RawEvent, **_): + """Handles events for training portals.""" + + body = xgetattr(event, "object", {}) + metadata = xgetattr(body, "metadata", {}) + spec = xgetattr(body, "spec", {}) + status = xgetattr(body, "status", {}) + + portal_name = xgetattr(metadata, "name") + portal_uid = xgetattr(metadata, "uid") + + with synchronized(self.cluster_config): + if xgetattr(event, "type") == "DELETED": + logger.info( + "Discard training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + portal_state = self.cluster_config.get_portal(portal_name) + + if portal_state: + self.cluster_config.remove_portal(portal_name) + + # Mark as stopped in case any workshop environments + # which reference it still haven't been cleaned up. + + portal_state.phase = "Stopped" + + else: + credentials = PortalCredentials( + client_id=xgetattr(status, "educates.clients.robot.id"), + client_secret=xgetattr(status, "educates.clients.robot.secret"), + username=xgetattr(status, "educates.credentials.robot.username"), + password=xgetattr(status, "educates.credentials.robot.password"), + ) + + portal_state = self.cluster_config.get_portal(portal_name) + + if not portal_state: + logger.info( + "Registering training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + self.cluster_config.add_portal( + TrainingPortal( + cluster=self.cluster_config, + name=portal_name, + uid=portal_uid, + generation=xgetattr(metadata, "generation"), + labels=xgetattr(spec, "portal.labels", []), + url=xgetattr(status, "educates.url"), + phase=xgetattr(status, "educates.phase"), + credentials=credentials, + capacity=xgetattr(spec, "portal.sessions.maximum", 0), + allocated=0, + ) + ) + + portal_state = self.cluster_config.get_portal(portal_name) + + else: + logger.info( + "Updating training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + portal_state.uid = portal_uid + portal_state.generation = xgetattr(metadata, "generation") + portal_state.labels = xgetattr(spec, "portal.labels", []) + portal_state.url = xgetattr(status, "educates.url") + portal_state.phase = xgetattr(status, "educates.phase") + portal_state.credentials = credentials + portal_state.capacity = xgetattr( + spec, "portal.sessions.maximum", 0 + ) + + portal_state.recalculate_capacity() + + @kopf.on.event( + "workshopenvironments.training.educates.dev", + labels={"training.educates.dev/portal.name": kopf.PRESENT}, + registry=self.operator_registry, + ) + async def workshopenvironments_event(event: kopf.RawEvent, **_): + """Handles events for workshop environments.""" + + body = xgetattr(event, "object", {}) + metadata = xgetattr(body, "metadata", {}) + spec = xgetattr(body, "spec", {}) + status = xgetattr(body, "status", {}) + + portal_name = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/portal.name" + ) + portal_uid = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/portal.uid" + ) + + environment_name = xgetattr(metadata, "name") + environment_uid = xgetattr(metadata, "uid") + + workshop_name = xgetattr(spec, "workshop.name") + + workshop_generation = xgetattr(status, "educates.workshop.generation", 0) + workshop_spec = xgetattr(status, "educates.workshop.spec", {}) + + with synchronized(self.cluster_config): + portal = self.cluster_config.get_portal(portal_name) + + if xgetattr(event, "type") == "DELETED": + if portal: + logger.info( + "Discard workshop environment %s for workshop %s from portal %s of cluster %s", # pylint: disable=line-too-long + environment_name, + workshop_name, + portal_name, + self.cluster_name, + ) + + portal.remove_environment(environment_name) + portal.recalculate_capacity() + + if portal.phase == "Unknown" and not portal.get_environments(): + logger.info( + "Discard unknown training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + self.cluster_config.remove_portal(portal_name) + + else: + logger.info( + "Discard workshop environment %s for workshop %s from portal %s of cluster %s as portal not found", # pylint: disable=line-too-long + environment_name, + workshop_name, + portal_name, + self.cluster_name, + ) + + else: + if not portal: + logger.info( + "Registering unknown training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + portal = TrainingPortal( + cluster=self.cluster_config, + name=portal_name, + uid=portal_uid, + generation=0, + labels=[], + url="", + phase="Unknown", + credentials=PortalCredentials( + client_id="", + client_secret="", + username="", + password="", + ), + capacity=0, + allocated=0, + ) + + self.cluster_config.add_portal(portal) + + environment_state = portal.get_environment(environment_name) + + if not environment_state: + logger.info( + "Registering workshop environment %s for workshop %s from portal %s of cluster %s", # pylint: disable=line-too-long + environment_name, + workshop_name, + portal_name, + self.cluster_name, + ) + + portal.add_environment( + WorkshopEnvironment( + portal=portal, + name=environment_name, + uid=environment_uid, + generation=workshop_generation, + workshop=workshop_name, + title=xgetattr(workshop_spec, "title"), + description=xgetattr(workshop_spec, "description"), + labels=xgetattr(workshop_spec, "labels", []), + capacity=xgetattr(status, "educates.capacity", 0), + reserved=xgetattr(status, "educates.reserved", 0), + allocated=0, + available=0, + phase=xgetattr(status, "educates.phase"), + ) + ) + + else: + logger.info( + "Updating workshop environment %s for workshop %s from portal %s of cluster %s", # pylint: disable=line-too-long + environment_name, + workshop_name, + portal_name, + self.cluster_name, + ) + + environment_state.generation = workshop_generation + environment_state.title = xgetattr(workshop_spec, "title") + environment_state.description = xgetattr( + workshop_spec, "description" + ) + environment_state.labels = xgetattr(workshop_spec, "labels", []) + + environment_state.phase = xgetattr(status, "educates.phase") + + environment_state.capacity = xgetattr( + status, "educates.capacity", 0 + ) + environment_state.reserved = xgetattr( + status, "educates.reserved", 0 + ) + + portal.recalculate_capacity() + + @kopf.on.event( + "workshopsessions.training.educates.dev", + labels={ + "training.educates.dev/portal.name": kopf.PRESENT, + "training.educates.dev/environment.name": kopf.PRESENT, + }, + registry=self.operator_registry, + ) + async def workshopsessions_event(event: kopf.RawEvent, **_): + """Handles events for workshop sessions.""" + + body = xgetattr(event, "object", {}) + metadata = xgetattr(body, "metadata", {}) + spec = xgetattr(body, "spec", {}) + status = xgetattr(body, "status", {}) + + portal_name = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/portal.name" + ) + portal_uid = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/portal.uid" + ) + + environment_name = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/environment.name" + ) + environment_uid = xgetattr(metadata, "labels", {}).get( + "training.educates.dev/environment.uid" + ) + + workshop_name = xgetattr(spec, "workshop.name") + + session_name = xgetattr(metadata, "name") + + with synchronized(self.cluster_config): + portal = self.cluster_config.get_portal(portal_name) + + if xgetattr(event, "type") == "DELETED": + if portal: + environment = portal.get_environment(environment_name) + + if environment: + logger.info( + "Discard workshop session %s for environment %s from portal %s of cluster %s", # pylint: disable=line-too-long + session_name, + environment_name, + portal_name, + self.cluster_name, + ) + + environment.remove_session(session_name) + portal.recalculate_capacity() + + if environment.phase == "Unknown" and not environment.get_sessions(): + logger.info( + "Discard unknown workshop environment %s from portal %s of cluster %s", # pylint: disable=line-too-long + environment_name, + portal_name, + self.cluster_name, + ) + + portal.remove_environment(environment_name) + + if portal.phase == "Unknown" and not portal.get_environments(): + logger.info( + "Discard unknown training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + self.cluster_config.remove_portal(portal_name) + + else: + logger.info( + "Discard workshop session %s for environment %s from portal %s of cluster %s as environment not found", # pylint: disable=line-too-long + session_name, + environment_name, + portal_name, + self.cluster_name, + ) + + else: + logger.info( + "Discard workshop session %s for environment %s from portal %s of cluster %s as portal not found", # pylint: disable=line-too-long + session_name, + environment_name, + portal_name, + self.cluster_name, + ) + + else: + if not portal: + logger.info( + "Registering unknown training portal %s with uid %s of cluster %s", + portal_name, + portal_uid, + self.cluster_name, + ) + + portal = TrainingPortal( + cluster=self.cluster_config, + name=portal_name, + uid=portal_uid, + generation=0, + labels=[], + url="", + phase="Unknown", + credentials=PortalCredentials( + client_id="", + client_secret="", + username="", + password="", + ), + capacity=0, + allocated=0, + ) + + self.cluster_config.add_portal(portal) + + environment = portal.get_environment(environment_name) + + if not environment: + logger.info( + "Registering unknown workshop environment %s from portal %s of cluster %s", + environment_name, + portal_name, + self.cluster_name, + ) + + environment = WorkshopEnvironment( + portal=portal, + name=environment_name, + uid=environment_uid, + generation=0, + workshop=workshop_name, + title="", + description="", + labels=[], + capacity=0, + reserved=0, + allocated=0, + available=0, + phase="Unknown", + ) + + portal.add_environment(environment) + + session_state = environment.get_session(session_name) + + if not session_state: + logger.info( + "Registering workshop session %s for environment %s from portal %s of cluster %s, where user is %r", # pylint: disable=line-too-long + session_name, + environment_name, + portal_name, + self.cluster_name, + xgetattr(status, "educates.user"), + ) + + environment.add_session( + WorkshopSession( + environment=environment, + name=session_name, + generation=xgetattr(metadata, "generation"), + phase=xgetattr(status, "educates.phase"), + user=xgetattr(status, "educates.user"), + ) + ) + + else: + logger.info( + "Updating workshop session %s for environment %s from portal %s of cluster %s, where user is %r", # pylint: disable=line-too-long + session_name, + environment_name, + portal_name, + self.cluster_name, + xgetattr(status, "educates.user"), + ) + + session_state.generation = xgetattr(metadata, "generation") + session_state.phase = xgetattr(status, "educates.phase") + session_state.user = xgetattr(status, "educates.user") + + portal.recalculate_capacity() + + +@kopf.daemon( + "clusterconfigs.lookup.educates.dev", + cancellation_backoff=5.0, + cancellation_polling=5.0, +) +def clusterconfigs_daemon( + stopped: kopf.DaemonStopped, + name: str, + uid: str, + retry: int, + memo: ServiceState, + **_, +) -> None: + """Starts an instance of the cluster operator for each registered cluster + and waits for it to complete.""" + + # Make sure we have separately processed the cluster config resource so + # that an item exists for it in the cache and it has the same uid. + + cache = memo.cluster_database + + cluster_config = cache.get_cluster(name) + + if not cluster_config or cluster_config.uid != uid: + raise kopf.TemporaryError( + f"Cluster {name} with uid {uid} not found.", + delay=5 if not retry else 15, + ) + + # Start the cluster operator and wait for it to complete. An infinite loop + # is used to keep the daemon thread running until the daemon is stopped as + # kopf framework expects this daemon thread to be running indefinitely until + # it is stopped. + + operator = ClusterOperator(cluster_config, memo) + + operator.run_until_stopped(stopped) diff --git a/lookup-service/service/handlers/tenants.py b/lookup-service/service/handlers/tenants.py new file mode 100644 index 000000000..39e735036 --- /dev/null +++ b/lookup-service/service/handlers/tenants.py @@ -0,0 +1,64 @@ +"""Operator handlers for tenant configuration resources.""" + +import logging +from typing import Any, Dict + +import kopf + +from ..caches.tenants import TenantConfig +from ..helpers.objects import xgetattr +from ..service import ServiceState + +logger = logging.getLogger("educates") + + +@kopf.on.resume("tenantconfigs.lookup.educates.dev") +@kopf.on.create("tenantconfigs.lookup.educates.dev") +@kopf.on.update("tenantconfigs.lookup.educates.dev") +def tenantconfigs_update( + name: str, meta: kopf.Meta, spec: kopf.Spec, memo: ServiceState, reason: str, **_ +) -> Dict[str, Any]: + """Add the tenant configuration to the tenant database.""" + + generation = meta["generation"] + + tenant_name = name + + tenant_clusters = xgetattr(spec, "clusters", {}) + tenant_portals = xgetattr(spec, "portals", {}) + + logger.info( + "%s tenant configuration %r with generation %s.", + (reason == "update") and "Update" or "Register", + name, + generation, + ) + + tenant_database = memo.tenant_database + + tenant_database.update_tenant( + TenantConfig( + name=tenant_name, + clusters=tenant_clusters, + portals=tenant_portals, + ) + ) + + return {} + + +@kopf.on.delete("tenantconfigs.lookup.educates.dev") +def tenantconfigs_delete(name: str, meta: kopf.Meta, memo: ServiceState, **_) -> None: + """Remove the tenant configuration from the tenant database.""" + + generation = meta["generation"] + + tenant_database = memo.tenant_database + + tenant_name = name + + logger.info( + "Discard tenant configuration %r with generation %s.", tenant_name, generation + ) + + tenant_database.remove_tenant(tenant_name) diff --git a/lookup-service/service/helpers/__init__.py b/lookup-service/service/helpers/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/lookup-service/service/helpers/kubeconfig.py b/lookup-service/service/helpers/kubeconfig.py new file mode 100644 index 000000000..95316292f --- /dev/null +++ b/lookup-service/service/helpers/kubeconfig.py @@ -0,0 +1,240 @@ +"""Helper functions for working with kubeconfig files.""" + +import base64 +from typing import Union + +import kopf + +# The kubeconfig file is a YAML file with the following structure: +# +# apiVersion: v1 +# kind: Config +# clusters: +# - name: cluster-name +# cluster: +# server: https://kubernetes.default.svc +# certificate-authority-data: +# contexts: +# - name: cluster-name-context +# context: +# cluster: cluster-name +# user: cluster-name-user +# current-context: cluster-name-context +# users: +# - name: cluster-name-user +# user: +# token: + + +def create_kubeconfig_from_access_token_secret( + directory: str, + cluster_name: str, + server_url: str = "https://kubernetes.default.svc", +) -> dict: + """Creates a kubeconfig from mounted access token secret.""" + + # The mounted directory is a volume created from the Kubernetes service + # account token and CA certificate. We want to create a kubeconfig file that + # uses these to access the Kubernetes API. First read the service account + # token from the mounted directory. + + with open(f"{directory}/token", "r", encoding="utf-8") as token_file: + token = token_file.read().strip() + + # Read the CA certificate from the mounted directory. + + with open(f"{directory}/ca.crt", "rb") as ca_file: + ca_certificate_bytes = ca_file.read().strip() + + # Create the kubeconfig file. + + kubeconfig = { + "apiVersion": "v1", + "kind": "Config", + "clusters": [ + { + "name": cluster_name, + "cluster": { + "server": server_url, + "certificate-authority-data": base64.b64encode( + ca_certificate_bytes + ).decode("utf-8"), + }, + } + ], + "contexts": [ + { + "name": f"{cluster_name}-context", + "context": { + "cluster": cluster_name, + "user": f"{cluster_name}-user", + }, + } + ], + "current-context": f"{cluster_name}-context", + "users": [ + { + "name": f"{cluster_name}-user", + "user": { + "token": token, + }, + } + ], + } + + return kubeconfig + + +def verify_kubeconfig_format(kubeconfig: dict) -> None: + """Verifies that a kubeconfig file is well-formed.""" + + # Verify the kubeconfig file has the correct structure. + + if ( + kubeconfig.get("apiVersion") != "v1" + or kubeconfig.get("kind") != "Config" + or not isinstance(kubeconfig.get("clusters"), list) + or not isinstance(kubeconfig.get("contexts"), list) + or not isinstance(kubeconfig.get("users"), list) + or not isinstance(kubeconfig.get("current-context"), str) + ): + raise ValueError("Invalid kubeconfig file format.") + + for cluster in kubeconfig.get("clusters", []): + if ( + not isinstance(cluster, dict) + or not isinstance(cluster.get("name"), str) + or not isinstance(cluster.get("cluster"), dict) + or not isinstance(cluster["cluster"].get("server"), str) + or not isinstance(cluster["cluster"].get("certificate-authority-data"), str) + ): + raise ValueError("Invalid kubeconfig file format.") + + for context in kubeconfig.get("contexts", []): + if ( + not isinstance(context, dict) + or not isinstance(context.get("name"), str) + or not isinstance(context.get("context"), dict) + or not isinstance(context["context"].get("cluster"), str) + or not isinstance(context["context"].get("user"), str) + ): + raise ValueError("Invalid kubeconfig file format.") + + for user in kubeconfig.get("users", []): + if ( + not isinstance(user, dict) + or not isinstance(user.get("name"), str) + or not isinstance(user.get("user"), dict) + or not isinstance(user["user"].get("token"), str) + ): + raise ValueError("Invalid kubeconfig file format.") + + +def extract_context_from_kubeconfig( + kubeconfig: dict, context: Union[str, None] = None +) -> dict: + """Extracts a context from a kubeconfig file. If the context is not + specified, the current context is extracted, or if no current context then + use the first context found. Leave the certficate data in its base64 encoded + form. Assume that the kubeconfig file is well-formed, does not need + validation and the context exists. Also assume that it only provides + certificate authority data and a token for authentication and that it does + not use a client certificate.""" + + # If no context provided see if the current context is specified in the + # kubeconfig file data, otherwise use the first context found. + + if context is None: + context = kubeconfig.get("current-context") + + if context is None: + context = kubeconfig["contexts"][0]["name"] + + # Find the context in the kubeconfig file data. + + context_data = None + + for context_data in kubeconfig["contexts"]: + if context_data["name"] == context: + break + + if context_data is None: + raise ValueError(f"Context {context} not found in kubeconfig file.") + + # Find the cluster and user data for the context. + + cluster_data = None + + for cluster in kubeconfig["clusters"]: + if cluster["name"] == context_data["context"]["cluster"]: + cluster_data = cluster + break + + user_data = None + + for user in kubeconfig["users"]: + if user["name"] == context_data["context"]["user"]: + user_data = user + break + + # Construct a new kubeconfig file with only data releveant to the context. + + kubeconfig = { + "apiVersion": "v1", + "kind": "Config", + "clusters": [cluster_data], + "contexts": [context_data], + "current-context": context_data["name"], + "users": [user_data], + } + + return kubeconfig + + +def create_connection_info_from_kubeconfig(config: dict) -> kopf.ConnectionInfo: + """Create kopf connection info from kubeconfig data.""" + + contexts = {} + clusters = {} + users = {} + + current_context = None + + if current_context is None: + current_context = config.get("current-context") + + for item in config.get("contexts", []): + if item["name"] not in contexts: + contexts[item["name"]] = item.get("context") or {} + + for item in config.get("clusters", []): + if item["name"] not in clusters: + clusters[item["name"]] = item.get("cluster") or {} + + for item in config.get("users", []): + if item["name"] not in users: + users[item["name"]] = item.get("user") or {} + + if current_context is None: + raise ValueError("Current context is not set in kubeconfig.") + + if current_context not in contexts: + raise ValueError(f"Context {current_context} not found in kubeconfig.") + + context = contexts[current_context] + cluster = clusters[context["cluster"]] + user = users[context["user"]] + + provider_token = user.get("auth-provider", {}).get("config", {}).get("access-token") + + return kopf.ConnectionInfo( + server=cluster.get("server"), + ca_data=cluster.get("certificate-authority-data"), + insecure=cluster.get("insecure-skip-tls-verify"), + certificate_data=user.get("client-certificate-data"), + private_key_data=user.get("client-key-data"), + username=user.get("username"), + password=user.get("password"), + token=user.get("token") or provider_token, + default_namespace=context.get("namespace"), + ) diff --git a/lookup-service/service/helpers/objects.py b/lookup-service/service/helpers/objects.py new file mode 100644 index 000000000..da96dfc07 --- /dev/null +++ b/lookup-service/service/helpers/objects.py @@ -0,0 +1,21 @@ +"""Helper functions for accessing objects.""" + +from typing import Any + + +def xgetattr(obj: Any, key: str, default: Any = None) -> Any: + """Looks up a property within an object using a dotted path as key. + If the property isn't found, then return the default value. + """ + + keys = key.split(".") + value = default + + for key in keys: + value = obj.get(key) + if value is None: + return default + + obj = value + + return value diff --git a/lookup-service/service/helpers/operator.py b/lookup-service/service/helpers/operator.py new file mode 100644 index 000000000..cf4e9762d --- /dev/null +++ b/lookup-service/service/helpers/operator.py @@ -0,0 +1,172 @@ +"""Base class and helper functions for kopf based operator.""" + +import asyncio +import contextlib +import logging +import threading +import time + +import aiohttp +import kopf + +from ..caches.clusters import ClusterConfig +from ..service import ServiceState +from .kubeconfig import create_connection_info_from_kubeconfig + +logger = logging.getLogger("educates") + + +class GenericOperator(threading.Thread): + """Base class for kopf based operator.""" + + def __init__( + self, + cluster_config: ClusterConfig, + *, + namespaces: str = None, + service_state: ServiceState + ) -> None: + """Initializes the operator.""" + + super().__init__() + + # Set the name of the operator and the namespaces to watch for + # resources. When the list of namespaces is empty, the operator will + # watch for resources cluster wide. + + self.cluster_config = cluster_config + self.namespaces = namespaces or [] + + # Set the state object for the operator. This is used to store the state + # of the operator across invocations. + + self.service_state = service_state + + # Create an operator registry to store the handlers for the operator. + # We need a distinct registry for each operator since we need to be able + # to run multiple operators in the same process with separate handlers. + + self.operator_registry = kopf.OperatorRegistry() + + # Create a stop flag to signal the operator to stop running. This is + # used to bridge between the kopf variable for stopping the operator + # and event required to stop the event loop for the operator. + + self._stop_flag = threading.Event() + + @property + def cluster_name(self): + """Return the name of the cluster the operator is managing.""" + + return self.cluster_config.name + + @property + def kubeconfig(self): + """Return the kubeconfig for the cluster the operator is managing.""" + + return self.cluster_config.kubeconfig + + def register_handlers(self) -> None: + """Register the handlers for the operator.""" + + raise NotImplementedError("Subclasses must implement this method.") + + def run(self) -> None: + """Starts the kopf operator in a separate event loop.""" + + # Register the login function for the operator. + + @kopf.on.login(registry=self.operator_registry) + def login_fn(**_) -> dict: + """Returns login credentials for the cluster calculated from the + configuration currently held in the cluster configuration cache.""" + + return create_connection_info_from_kubeconfig(self.kubeconfig) + + @kopf.on.cleanup() + async def cleanup_fn(**_) -> None: + """Cleanup function for operator.""" + + # Workaround for possible kopf bug, set stop flag. + + self._stop_flag.set() + + # Register the kopf handlers for this operator. + + self.register_handlers() + + # Determine if the operator should be run clusterwide or in specific + # namespaces. + + clusterwide = False + + if not self.namespaces: + clusterwide = True + + # Run the operator in a separate event loop, waiting for the stop flag + # to be set, at which point the operator will be stopped and this thread + # will exit. + + while not self._stop_flag.is_set(): + event_loop = asyncio.new_event_loop() + + asyncio.set_event_loop(event_loop) + + logger.info("Starting managed cluster operator for %s.", self.cluster_name) + + with contextlib.closing(event_loop): + try: + event_loop.run_until_complete( + kopf.operator( + registry=self.operator_registry, + clusterwide=clusterwide, + namespaces=self.namespaces, + memo=self.service_state, + stop_flag=self._stop_flag, + ) + ) + + except ( + aiohttp.client_exceptions.ClientConnectorError, + aiohttp.client_exceptions.ClientConnectorCertificateError, + ): + # If the operator exits due to a connection error it means it + # could not connect to the cluster on initial startup. After + # a short delay, the operator will be restarted. Note that + # this only applied to the initial connecttion. If the operator + # loses connection to the cluster while running, it will not + # be restarted and what instead happens is that kopf will + # continually attempt to reconnect to the cluster. + # + # TODO: Need to find a way to get from kopf a notification + # that the watchers are failing so can try to reconnect + # or tale some other action. + + logger.exception( + "Connection error, restarting operator after delay." + ) + + time.sleep(5.0) + + def cancel(self) -> None: + """Flags the kopf operator to stop.""" + + # Set the stop flag to stop the operator. This will cause the event loop + # to stop running and the operator thread to exit. + + self._stop_flag.set() + + def run_until_stopped(self, stopped: kopf.DaemonStopped) -> None: + """Run the operator until stopped.""" + + self.start() + + while not stopped: + # We should be called from a traditional thread so it is safe to use + # blocking sleep call. + + time.sleep(1.0) + + self.cancel() + + self.join() diff --git a/lookup-service/service/helpers/selectors.py b/lookup-service/service/helpers/selectors.py new file mode 100644 index 000000000..2235ac831 --- /dev/null +++ b/lookup-service/service/helpers/selectors.py @@ -0,0 +1,146 @@ +"""Selectors for matching Kubernetes resource objects.""" + +import fnmatch +from dataclasses import dataclass +from enum import Enum +from typing import Any, Dict, List + +from ..helpers.objects import xgetattr + + +@dataclass +class NameSelector: + """Selector for matching Kubernetes resource objects by name.""" + + match_names: List[str] + + def match_resource(self, resource: Dict[str, Any]) -> bool: + """Check if a resource matches the selector. Note that if the list of + names is empty, then the selector will match all resources. When + matching names we actually use a glob expression.""" + + if not self.match_names: + return True + + name = xgetattr(resource, "metadata.name") + + for pattern in self.match_names: + if fnmatch.fnmatch(name, pattern): + return True + + return False + + +class Operator(Enum): + """Operators for when matching Kubernetes resource objects by label + expressions. + """ + + IN = "In" + NOT_IN = "NotIn" + EXISTS = "Exists" + DOES_NOT_EXIST = "DoesNotExist" + + +@dataclass +class LabelSelectorRequirement: + """Selector for matching Kubernetes resource objects by label express.""" + + key: str + operator: Operator + values: List[str] + + def match_resource(self, resource: Dict[str, Any]) -> bool: + """Check if a resource matches the selector.""" + + labels = xgetattr(resource, "metadata.labels", {}) + + value = labels.get(self.key) + + if self.operator == Operator.IN: + return value in self.values + elif self.operator == Operator.NOT_IN: + return value not in self.values + elif self.operator == Operator.EXISTS: + return value is not None + elif self.operator == Operator.DOES_NOT_EXIST: + return value is None + + return False + + +@dataclass +class LabelSelector: + """selector for matching Kubernetes resource objects by label.""" + + match_labels: Dict[str, str] + match_expressions: List[LabelSelectorRequirement] + + def match_resource(self, resource: Dict[str, Any]) -> bool: + """Check if a resource matches the selector.""" + + # First check if labels match by key/value pairs. If the set of labels + # is empty, then the selector will match all resources, but will still + # need to go on and check the label expressions. + + labels = xgetattr(resource, "metadata.labels", {}) + + if not all( + labels.get(key) == value for key, value in self.match_labels.items() + ): + return False + + # Now check list of label expressions. If this list is empty, then it + # will match all resources. + + return all(expr.match_resource(resource) for expr in self.match_expressions) + + +def convert_to_name_selector(name_selector_dict: dict) -> NameSelector: + """Converts a Kubernetes resource representation of a name selector to a + NameSelector object. + """ + + return NameSelector(match_names=name_selector_dict.get("matchNames", [])) + + +def convert_to_label_selector(label_selector_dict: dict) -> LabelSelector: + """Converts a Kubernetes resource representation of a label selector to a + LabelSelector object. + """ + + match_labels = label_selector_dict.get("matchLabels", {}) + + match_expressions_data = label_selector_dict.get("matchExpressions", []) + + match_expressions = [ + LabelSelectorRequirement( + key=expr["key"], + operator=Operator(expr["operator"]), + values=expr.get("values"), + ) + for expr in match_expressions_data + ] + + return LabelSelector(match_labels=match_labels, match_expressions=match_expressions) + + +@dataclass +class ResourceSelector: + """Selectors for matching Kubernetes resource objects.""" + + name_selector: NameSelector + label_selector: LabelSelector + + def __init__(self, selector: Any) -> None: + self.name_selector = convert_to_name_selector(selector.get("nameSelector", {})) + self.label_selector = convert_to_label_selector( + selector.get("labelSelector", {}) + ) + + def match_resource(self, resource: Dict[str, Any]) -> bool: + """Check if a resource matches the selector.""" + + return self.name_selector.match_resource( + resource + ) and self.label_selector.match_resource(resource) diff --git a/lookup-service/service/main.py b/lookup-service/service/main.py new file mode 100644 index 000000000..625a83487 --- /dev/null +++ b/lookup-service/service/main.py @@ -0,0 +1,251 @@ +"""Main entry point for the lookup service. This module starts the kopf +operator framework and the aiohttp server for handling REST API requests.""" + +import asyncio +import contextlib +import logging +import os +import signal +import threading + +import aiohttp +import kopf +import pykube + +from .caches.databases import client_database, cluster_database, tenant_database +from .handlers import clients as _ # pylint: disable=unused-import +from .handlers import clusters as _ # pylint: disable=unused-import +from .handlers import tenants as _ # pylint: disable=unused-import +from .routes import register_routes +from .service import ServiceState + + +# Set up logging for the educates operator. + +logging.getLogger("kopf.activities.probe").setLevel(logging.WARNING) +logging.getLogger("kopf.objects").setLevel(logging.WARNING) + +logger = logging.getLogger("educates") + + +# Configuration to namespace to monitor for configuration resources. + +OPERATOR_NAMESPACE = os.getenv("OPERATOR_NAMESPACE", "educates-config") + +# Register the operator handlers for the training platform operator. +# +# TODO: These handler registrations are done against the global kopf registry +# and thus will not apply to secondary operator instances which are created in +# separate threads later as they will use their own registry. This means +# liveness probes aren't currently checking access to secondary clusters. Also +# need to check whether settings are being applied to the secondary operator +# instances. + + +@kopf.on.startup() +def configure(settings: kopf.OperatorSettings, **_) -> None: + """Configures the kopf operator settings.""" + + settings.posting.level = logging.ERROR + settings.watching.connect_timeout = 1 * 60 + settings.watching.server_timeout = 5 * 60 + settings.watching.client_timeout = settings.watching.server_timeout + 10 + + +@kopf.on.login() +def login_fn(**kwargs) -> dict: + """Returns login credentials to be used by the kopf operator framework using + the pykube library so that the operator framework is using the same means of + getting credentials as the pykube library.""" + + return kopf.login_via_pykube(**kwargs) + + +@kopf.on.probe(id="api") +def check_api_access(**_) -> None: + """Checks if we can access the Kubernetes API for the liveness probe. The + kopf framework will handle the response to the liveness probe based on + the result of this function. The kopf operator framework will also do + basic checks to determine if the operator is still running and if it is + able to process events.""" + + try: + api = pykube.HTTPClient(pykube.KubeConfig.from_env()) + pykube.Namespace.objects(api).get(name="default") + + except pykube.exceptions.KubernetesError: + logger.error("Failed liveness probe request to Kubernetes API.") + + raise + + +# Process variables and shutdown handling. Signal handlers run in the main +# thread so we need to use global event objects to signal the kopf framework +# and HTTP server, which run in separate threads, to stop processing. + +_kopf_main_process_thread = None # pylint: disable=invalid-name +_kopf_main_event_loop = None # pylint: disable=invalid-name + +_aiohttp_main_process_thread = None # pylint: disable=invalid-name +_aiohttp_main_event_loop = None # pylint: disable=invalid-name + +_shutdown_server_process_flag = threading.Event() + + +def shutdown_server_process(signum: int, *_) -> None: + """Signal handler for shutting down the server process. This will set the + stop flag for the kopf framework and HTTP server to stop processing.""" + + logger.info("Signal handler called with signal %s.", signum) + + if _kopf_main_event_loop: + _shutdown_server_process_flag.set() + + +def register_signal_handlers() -> None: + """Registers signal handlers for the server process. This will allow the + server process to be shutdown cleanly when a signal is received.""" + + signal.signal(signal.SIGINT, shutdown_server_process) + signal.signal(signal.SIGTERM, shutdown_server_process) + + +@kopf.on.cleanup() +async def cleanup_fn(**_) -> None: + """Cleanup function for the operator.""" + + # This is a workaround for a possible bug in kopf where the cleanup function + # isn't being called when the operator is stopped. This sets the stop flag + # for the operator to stop processing again. This may no longer be required. + + _shutdown_server_process_flag.set() + + +# Global data structures to be shared across the kopf operator and uvicorn +# server threads. + +service_state = ServiceState( + client_database=client_database, + tenant_database=tenant_database, + cluster_database=cluster_database, +) + + +def run_kopf() -> threading.Thread: + """Run kopf in a separate thread.""" + + def worker_thread(): + logger.info("Starting kopf framework main loop.") + + # Need to create and set the event loop since this isn't being + # called in the main thread. + + global _kopf_main_event_loop # pylint: disable=global-statement + + _kopf_main_event_loop = asyncio.new_event_loop() + asyncio.set_event_loop(_kopf_main_event_loop) + + # Run the kopf operator framework until the shutdown flag is set. + + with contextlib.closing(_kopf_main_event_loop): + _kopf_main_event_loop.run_until_complete( + kopf.operator( + clusterwide=False, + namespaces=[OPERATOR_NAMESPACE], + stop_flag=_shutdown_server_process_flag, + memo=service_state, + liveness_endpoint="http://0.0.0.0:8081/healthz", + ) + ) + + # Start the kopf operator framework in a separate thread. + + thread = threading.Thread(target=worker_thread) + thread.start() + + return thread + + +def run_aiohttp() -> threading.Thread: + """Run aiohttp in a separate thread.""" + + aiohttp_app = aiohttp.web.Application() + + aiohttp_app["service_state"] = service_state + + register_routes(aiohttp_app) + + runner = aiohttp.web.AppRunner(aiohttp_app) + + async def wait_for_process_shutdown() -> None: + """Wait for the server process to shutdown and then shutdown the HTTP + server.""" + + # Wait for the shutdown flag to be set. + + while not _shutdown_server_process_flag.is_set(): + await asyncio.sleep(1) + + # Shutdown the aiohttp server. + + await runner.cleanup() + + def worker_thread() -> None: + """Worker thread for running the HTTP server.""" + + # Need to create a separate event loop for the HTTP server since this + # isn't being called in the main thread. + + global _aiohttp_main_event_loop # pylint: disable=global-statement + + _aiohttp_main_event_loop = asyncio.new_event_loop() + asyncio.set_event_loop(_aiohttp_main_event_loop) + + async def run_app() -> None: + await runner.setup() + site = aiohttp.web.TCPSite(runner, "0.0.0.0", 8080) + await site.start() + + with contextlib.closing(_aiohttp_main_event_loop): + _aiohttp_main_event_loop.run_until_complete( + asyncio.gather(run_app(), wait_for_process_shutdown()) + ) + + # Start the HTTP server in a separate thread. + + thread = threading.Thread(target=worker_thread) + thread.start() + + return thread + + +# Main entry point for the educates operator. This will start the kopf operator +# framework and the HTTP server. + +if __name__ == "__main__": + + # Set up logging for the educates operator. + + logging.basicConfig(level=logging.INFO) + logger.setLevel(logging.INFO) + + # Suppress verbose logging from urllib3 if ever set general log level to + # more verbose setting. + + logging.getLogger("urllib3.connectionpool").setLevel(logging.INFO) + + # Register signal handlers for the server process. + + register_signal_handlers() + + # Start the kopf framework and HTTP server threads. + + _kopf_main_process_thread = run_kopf() + _aiohttp_main_process_thread = run_aiohttp() + + # Wait for the kopf framework and HTTP server threads to complete. This + # will block until the threads are finished which will only occur when the + # shutdown process signal is received. + + _kopf_main_process_thread.join() + _aiohttp_main_process_thread.join() diff --git a/lookup-service/service/routes/__init__.py b/lookup-service/service/routes/__init__.py new file mode 100644 index 000000000..f664a37c6 --- /dev/null +++ b/lookup-service/service/routes/__init__.py @@ -0,0 +1,22 @@ +"""Handlers for HTTP API endpoints.""" + +from aiohttp import web + +from . import authnz, clients, clusters, portals, tenants, workshops + + +def register_routes(app: web.Application) -> None: + """Register the HTTP API routes with the application.""" + + # Register authentication and authorization middleware/routes. + + app.middlewares.extend(authnz.middlewares) + app.add_routes(authnz.routes) + + # Register the routes for the different parts of the service. + + app.add_routes(clients.routes) + app.add_routes(clusters.routes) + app.add_routes(portals.routes) + app.add_routes(tenants.routes) + app.add_routes(workshops.routes) diff --git a/lookup-service/service/routes/authnz.py b/lookup-service/service/routes/authnz.py new file mode 100644 index 000000000..5e610bb10 --- /dev/null +++ b/lookup-service/service/routes/authnz.py @@ -0,0 +1,234 @@ +"""HTTP API handlers and decorators for controlling access to the REST API. +""" + +import datetime +from typing import Callable + +import jwt +from aiohttp import web + +from ..config import jwt_token_secret +from ..caches.clients import ClientConfig + +TOKEN_EXPIRATION = 72 # Expiration in hours. + + +def generate_login_response(client: ClientConfig) -> dict: + """Generate a JWT token for the client. The token will be set to expire and + will need to be renewed. The token will contain the username and the unique + identifier for the client.""" + + expires_at = int( + ( + datetime.datetime.now(datetime.timezone.utc) + + datetime.timedelta(hours=TOKEN_EXPIRATION) + ).timestamp() + ) + + jwt_token = jwt.encode( + {"sub": client.name, "jti": client.identity, "exp": expires_at}, + jwt_token_secret(), + algorithm="HS256", + ) + + return { + "access_token": jwt_token, + "token_type": "Bearer", + "expires_at": expires_at, + } + + +def decode_client_token(token: str) -> dict: + """Decode the client token and return the decoded token. If the token is + invalid, an exception will be raised.""" + + return jwt.decode(token, jwt_token_secret(), algorithms=["HS256"]) + + +@web.middleware +async def jwt_token_middleware( + request: web.Request, handler: Callable[..., web.Response] +) -> web.Response: + """Extract and decode the JWT token from the Authorization header, if + present. Store the decoded details in the request object for later use by + decorators on the individual request handlers that need to authenticate the + client and check for required authorization. + """ + + # Extract the Authorization header from the request if present. + + authorization = request.headers.get("Authorization") + + if authorization: + # Check if the Authorization header is a Bearer token. + + parts = authorization.split() + + if len(parts) != 2: + return web.Response(text="Invalid Authorization header", status=400) + + if parts[0].lower() != "bearer": + return web.Response(text="Invalid Authorization header", status=400) + + # Decode the JWT token passed in the Authorization header. + + try: + token = parts[1] + decoded_token = decode_client_token(token) + except jwt.ExpiredSignatureError: + return web.Response(text="JWT token has expired", status=401) + except jwt.InvalidTokenError: + return web.Response(text="JWT token is invalid", status=401) + + # Store the decoded token in the request object for later use. + + request["jwt_token"] = decoded_token + request["client_name"] = decoded_token["sub"] + + # Continue processing the request. + + return await handler(request) + + +def login_required(handler: Callable[..., web.Response]) -> web.Response: + """Decorator to verify that client is logged in to the service.""" + + async def wrapper(request: web.Request) -> web.Response: + # Check if the decoded JWT token is present in the request object. + + if "jwt_token" not in request: + return web.Response(text="JWT token not supplied", status=400) + + decoded_token = request["jwt_token"] + + # Check the client database for the client by the name of the client + # taken from the JWT token subject. Then check if the identity of the + # client is still the same as the one recorded in the JWT token. + + service_state = request.app["service_state"] + client_database = service_state.client_database + + client = client_database.get_client(decoded_token["sub"]) + + if not client: + return web.Response(text="Client details not found", status=401) + + if not client.validate_identity(decoded_token["jti"]): + return web.Response(text="Client identity does not match", status=401) + + request["remote_client"] = client + + # Continue processing the request. + + return await handler(request) + + return wrapper + + +def roles_accepted( + *roles: str, +) -> Callable[[Callable[..., web.Response]], web.Response]: + """Decorator to check that the client has access to the endpoint by + confirming that is has any role required by the endpoint for access.""" + + def decorator(handler: Callable[..., web.Response]) -> web.Response: + async def wrapper(request: web.Request) -> web.Response: + # Check if the client has one of the required roles. + + client = request["remote_client"] + + matched_roles = client.has_required_role(*roles) + + if not matched_roles: + return web.Response(text="Client access not permitted", status=403) + + request["client_roles"] = matched_roles + + # Continue processing the request. + + return await handler(request) + + return wrapper + + return decorator + + +async def api_auth_login(request: web.Request) -> web.Response: + """Login handler for accessing the web application. Validates the username + and password provided in the request and returns a JWT token if the + credentials are valid.""" + + # Extract the username and password from the request POST data. + + data = await request.json() + + username = data.get("username") + password = data.get("password") + + if username is None: + return web.Response(text="No username provided", status=400) + + if password is None: + return web.Response(text="No password provided", status=400) + + # Check if the password is correct for the username. + + service_state = request.app["service_state"] + client_database = service_state.client_database + + client = client_database.authenticate_client(username, password) + + if not client: + return web.Response(text="Invalid username/password", status=401) + + # Generate a JWT token for the user and return it. The response is + # bundle with the token type and expiration time so they can be used + # by the client without needing to parse the actual JWT token. + + token = generate_login_response(client) + + return web.json_response(token) + + +async def api_auth_logout(request: web.Request) -> web.Response: + """Logout handler for the web application. The client will be logged out + and the JWT token will be invalidated.""" + + # Check if the decoded JWT token is present in the request object. + + if "jwt_token" not in request: + return web.Response(text="JWT token not supplied", status=400) + + decoded_token = request["jwt_token"] + + # Check the client database for the client by the name of the client + # taken from the JWT token subject. Then check if the identity of the + # client is still the same as the one recorded in the JWT token. + + service_state = request.app["service_state"] + client_database = service_state.client_database + + client = client_database.get_client(decoded_token["sub"]) + + if not client: + return web.Response(text="Client details not found", status=401) + + if not client.validate_identity(decoded_token["jti"]): + return web.Response(text="Client identity does not match", status=401) + + # Revoke the tokens issued to the client. + + client.revoke_tokens() + + return web.json_response({}) + +# Set up the middleware and routes for the authentication and authorization. + +middlewares = [jwt_token_middleware] + +routes = [ + web.post("/login", api_auth_login), + web.post("/auth/login", api_auth_login), + web.post("/auth/logout", api_auth_logout), + web.get("/auth/verify", login_required(lambda r: web.json_response({}))), +] diff --git a/lookup-service/service/routes/clients.py b/lookup-service/service/routes/clients.py new file mode 100644 index 000000000..50485087f --- /dev/null +++ b/lookup-service/service/routes/clients.py @@ -0,0 +1,62 @@ +"""REST API handlers for client management.""" + +from aiohttp import web + +from .authnz import login_required, roles_accepted + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clients(request: web.Request) -> web.Response: + """Returns a list of clients which can access the service.""" + + service_state = request.app["service_state"] + client_database = service_state.client_database + + data = { + "clients": [ + {"name": client.name, "roles": client.roles, "tenants": client.tenants} + for client in client_database.get_clients() + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin", "tenant") +async def api_get_v1_clients_details(request: web.Request) -> web.Response: + """Returns details for the specified client.""" + + remote_client = request["remote_client"] + client_roles = request["client_roles"] + + client_name = request.match_info["client"] + + if "tenant" in client_roles: + if remote_client.name != client_name: + return web.Response(text="Client access not permitted", status=403) + + service_state = request.app["service_state"] + client_database = service_state.client_database + + client = client_database.get_client(client_name) + + if not client: + return web.Response(text="Client not available", status=404) + + details = { + "name": client.name, + "roles": client.roles, + "tenants": client.tenants, + } + + return web.json_response(details) + + +# Set up the routes for the client management API. + +routes = [ + web.get("/api/v1/clients", api_get_v1_clients), + web.get("/api/v1/clients/{client}", api_get_v1_clients_details), +] diff --git a/lookup-service/service/routes/clusters.py b/lookup-service/service/routes/clusters.py new file mode 100644 index 000000000..8f270debe --- /dev/null +++ b/lookup-service/service/routes/clusters.py @@ -0,0 +1,415 @@ +"""REST API handlers for cluster management.""" + +import yaml +from aiohttp import web + +from .authnz import login_required, roles_accepted + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters(request: web.Request) -> web.Response: + """Returns a list of clusters available to the user.""" + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + data = { + "clusters": [ + {"name": cluster.name, "labels": cluster.labels} + for cluster in cluster_database.get_clusters() + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_details(request: web.Request) -> web.Response: + """Returns details for the specified cluster.""" + + cluster_name = request.match_info["cluster"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + details = { + "name": cluster.name, + "labels": cluster.labels, + } + + return web.json_response(details) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_kubeconfig(request: web.Request) -> web.Response: + """Returns a kubeconfig file for the specified cluster.""" + + cluster_name = request.match_info["cluster"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + kubeconfig = yaml.dump(cluster.kubeconfig) + + return web.Response(text=kubeconfig) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals(request: web.Request) -> web.Response: + """Returns a list of portals for the specified cluster.""" + + cluster_name = request.match_info["cluster"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + data = { + "portals": [ + { + "name": portal.name, + "uid": portal.uid, + "generation": portal.generation, + "labels": portal.labels, + "cluster": portal.cluster.name, + "url": portal.url, + "capacity": portal.capacity, + "allocated": portal.allocated, + "phase": portal.phase, + } + for portal in cluster.get_portals() + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_details(request: web.Request) -> web.Response: + """Returns details for the specified portal running on a cluster.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + details = { + "name": portal.name, + "uid": portal.uid, + "generation": portal.generation, + "labels": portal.labels, + "cluster": portal.cluster.name, + "url": portal.url, + "capacity": portal.capacity, + "allocated": portal.allocated, + "phase": portal.phase, + } + + return web.json_response(details) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_environments( + request: web.Request, +) -> web.Response: + """Returns a list of environments for a portal running on a cluster.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + environments = portal.get_environments() + + data = { + "environments": [ + { + "name": environment.name, + "uid": environment.uid, + "generation": environment.generation, + "workshop": environment.workshop, + "title": environment.title, + "description": environment.description, + "labels": environment.labels, + "cluster": portal.cluster.name, + "portal": portal.name, + "capacity": environment.capacity, + "reserved": environment.reserved, + "allocated": environment.allocated, + "available": environment.available, + "phase": environment.phase, + } + for environment in environments + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_environments_details( + request: web.Request, +) -> web.Response: + """Returns details for the specified environment running on a portal.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + environment_name = request.match_info["environment"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + environment = portal.get_environment(environment_name) + + if not environment: + return web.Response(text="Environment not available", status=404) + + details = { + "name": environment.name, + "uid": environment.uid, + "generation": environment.generation, + "workshop": environment.workshop, + "title": environment.title, + "description": environment.description, + "labels": environment.labels, + "cluster": portal.cluster.name, + "portal": portal.name, + "capacity": environment.capacity, + "reserved": environment.reserved, + "allocated": environment.allocated, + "available": environment.available, + "phase": environment.phase, + } + + return web.json_response(details) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_environments_sessions( + request: web.Request, +) -> web.Response: + """Returns a list of workshop sessions for an environment running on portal.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + environment_name = request.match_info["environment"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + environment = portal.get_environment(environment_name) + + if not environment: + return web.Response(text="Environment not available", status=404) + + sessions = environment.get_sessions() + + data = { + "sessions": [ + { + "name": session.name, + "generation": session.generation, + "cluster": session.environment.portal.cluster.name, + "portal": session.environment.portal.name, + "environment": session.environment.name, + "workshop": session.environment.workshop, + "phase": session.phase, + "user": session.user, + } + for session in sessions + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_environments_users( + request: web.Request, +) -> web.Response: + """Returns a list of users for an environment running on portal.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + environment_name = request.match_info["environment"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + environment = portal.get_environment(environment_name) + + if not environment: + return web.Response(text="Environment not available", status=404) + + sessions = environment.get_sessions() + + users = set() + + for session in sessions: + if session.user not in users: + users.add(session.user) + + data = {"users": list(users)} + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_clusters_portals_environments_users_sessions( + request: web.Request, +) -> web.Response: + """Returns a list of workshop sessions for a user in an environment running on portal.""" + + cluster_name = request.match_info["cluster"] + portal_name = request.match_info["portal"] + environment_name = request.match_info["environment"] + user_name = request.match_info["user"] + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + cluster = cluster_database.get_cluster(cluster_name) + + if not cluster: + return web.Response(text="Cluster not available", status=404) + + portal = cluster.get_portal(portal_name) + + if not portal: + return web.Response(text="Portal not available", status=404) + + environment = portal.get_environment(environment_name) + + if not environment: + return web.Response(text="Environment not available", status=404) + + sessions = environment.get_sessions() + + data = { + "sessions": [ + { + "name": session.name, + "generation": session.generation, + "cluster": session.environment.portal.cluster.name, + "portal": session.environment.portal.name, + "environment": session.environment.name, + "workshop": session.environment.workshop, + "phase": session.phase, + "user": session.user, + } + for session in sessions + if session.user == user_name + ] + } + + return web.json_response(data) + + +# Set up the routes for the cluster management API. + +routes = [ + web.get("/api/v1/clusters", api_get_v1_clusters), + web.get("/api/v1/clusters/{cluster}", api_get_v1_clusters_details), + web.get("/api/v1/clusters/{cluster}/kubeconfig", api_get_v1_clusters_kubeconfig), + web.get("/api/v1/clusters/{cluster}/portals", api_get_v1_clusters_portals), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}", + api_get_v1_clusters_portals_details, + ), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}/environments", + api_get_v1_clusters_portals_environments, + ), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}/environments/{environment}", + api_get_v1_clusters_portals_environments_details, + ), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}/environments/{environment}/sessions", + api_get_v1_clusters_portals_environments_sessions, + ), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}/environments/{environment}/users", + api_get_v1_clusters_portals_environments_users, + ), + web.get( + "/api/v1/clusters/{cluster}/portals/{portal}/environments/{environment}/users/{user}/sessions", # pylint: disable=line-too-long + api_get_v1_clusters_portals_environments_users_sessions, + ), +] diff --git a/lookup-service/service/routes/portals.py b/lookup-service/service/routes/portals.py new file mode 100644 index 000000000..5508b6e56 --- /dev/null +++ b/lookup-service/service/routes/portals.py @@ -0,0 +1,44 @@ +"""REST API handlers for portal management.""" + +from aiohttp import web + +from .authnz import login_required, roles_accepted + + +@login_required +@roles_accepted("admin") +async def api_get_v1_portals(request: web.Request) -> web.Response: + """Returns a list of portals available to the user.""" + + service_state = request.app["service_state"] + cluster_database = service_state.cluster_database + + portals = [] + + for cluster in cluster_database.get_clusters(): + for portal in cluster.get_portals(): + portals.append(portal) + + data = { + "portals": [ + { + "name": portal.name, + "uid": portal.uid, + "generation": portal.generation, + "labels": portal.labels, + "cluster": portal.cluster.name, + "url": portal.url, + "capacity": portal.capacity, + "allocated": portal.allocated, + "phase": portal.phase, + } + for portal in portals + ] + } + + return web.json_response(data) + + +# Set up the routes for the portal management API. + +routes = [web.get("/api/v1/portals", api_get_v1_portals)] diff --git a/lookup-service/service/routes/tenants.py b/lookup-service/service/routes/tenants.py new file mode 100644 index 000000000..9333f5ca6 --- /dev/null +++ b/lookup-service/service/routes/tenants.py @@ -0,0 +1,182 @@ +"""REST API handlers for tenant management.""" + +from aiohttp import web + +from .authnz import login_required, roles_accepted + + +def get_clients_mapped_to_tenant(client_database, tenant_name: str) -> int: + """Return the names of the clients mapped to the tenant.""" + + return [ + client.name + for client in client_database.get_clients() + if client.allowed_access_to_tenant(tenant_name) + ] + + +@login_required +@roles_accepted("admin") +async def api_get_v1_tenants(request: web.Request) -> web.Response: + """Returns a list of tenants.""" + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + client_database = service_state.client_database + + data = { + "tenants": [ + { + "name": tenant.name, + "clients": get_clients_mapped_to_tenant(client_database, tenant.name), + } + for tenant in tenant_database.get_tenants() + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_tenants_details(request: web.Request) -> web.Response: + """Returns details for the specified tenant.""" + + tenant_name = request.match_info["tenant"] + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + client_database = service_state.client_database + + tenant = tenant_database.get_tenant(tenant_name) + + if not tenant: + return web.Response(text="Tenant not available", status=404) + + details = { + "name": tenant.name, + "clients": get_clients_mapped_to_tenant(client_database, tenant.name), + } + + return web.json_response(details) + + +@login_required +@roles_accepted("admin") +async def api_get_v1_tenants_portals(request: web.Request) -> web.Response: + """Returns a list of portals for the specified tenant.""" + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + + # Grab tenant name from path parameters. If the client has the tenant role + # they can only access tenants they are mapped to. + + tenant_name = request.match_info["tenant"] + + if not tenant_name: + return web.Response(text="Missing tenant name", status=400) + + client_roles = request["client_roles"] + + # Note that currently "tenant" is not within the allowed roles but leaving + # this code here in case in future we allow access to this endpoint to + # users with the "tenant" role. + + if "tenant" in client_roles: + client = request["remote_client"] + + if not client.allowed_access_to_tenant(tenant_name): + return web.Response(text="Client access not permitted", status=403) + + # Work out the set of portals accessible for this tenant. + + tenant = tenant_database.get_tenant(tenant_name) + + if not tenant: + return web.Response(text="Tenant not available", status=404) + + accessible_portals = tenant.portals_which_are_accessible() + + # Generate the list of portals available to the user for this tenant. + + data = { + "portals": [ + { + "name": portal.name, + "uid": portal.uid, + "generation": portal.generation, + "labels": portal.labels, + "cluster": portal.cluster.name, + "url": portal.url, + "capacity": portal.capacity, + "allocated": portal.allocated, + "phase": portal.phase, + } + for portal in accessible_portals + ] + } + + return web.json_response(data) + + +@login_required +@roles_accepted("admin", "tenant") +async def api_get_v1_tenants_workshops(request: web.Request) -> web.Response: + """Returns a list of workshops for the specified tenant.""" + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + + # Grab tenant name from path parameters. If the client has the tenant role + # they can only access tenants they are mapped to. + + tenant_name = request.match_info["tenant"] + + if not tenant_name: + return web.Response(text="Missing tenant name", status=400) + + client_roles = request["client_roles"] + + if "tenant" in client_roles: + client = request["remote_client"] + + if not client.allowed_access_to_tenant(tenant_name): + return web.Response(text="Client access not permitted", status=403) + + # Work out the set of portals accessible for this tenant. + + tenant = tenant_database.get_tenant(tenant_name) + + if not tenant: + return web.Response(text="Tenant not available", status=404) + + accessible_portals = tenant.portals_which_are_accessible() + + # Generate the list of workshops available to the user for this tenant which + # are in a running state. We need to eliminate any duplicates as a workshop + # may be available through multiple training portals. We use the title and + # description from the last found so we expect these to be consistent. + + workshops = {} + + for portal in accessible_portals: + for environment in portal.get_running_environments(): + workshops[environment.workshop] = { + "name": environment.workshop, + "title": environment.title, + "description": environment.description, + "labels": environment.labels, + } + + return web.json_response({"workshops": list(workshops.values())}) + + +# Set up the routes for the tenant management API. + +routes = [ + web.get("/api/v1/tenants", api_get_v1_tenants), + web.get("/api/v1/tenants/{tenant}", api_get_v1_tenants_details), + web.get("/api/v1/tenants/{tenant}/portals", api_get_v1_tenants_portals), + web.get("/api/v1/tenants/{tenant}/workshops", api_get_v1_tenants_workshops), +] diff --git a/lookup-service/service/routes/workshops.py b/lookup-service/service/routes/workshops.py new file mode 100644 index 000000000..4f47dddfa --- /dev/null +++ b/lookup-service/service/routes/workshops.py @@ -0,0 +1,347 @@ +"""REST API handlers for workshop requests.""" + +import logging +from typing import List + +from aiohttp import web + +from ..caches.environments import WorkshopEnvironment +from .authnz import login_required, roles_accepted + +logger = logging.getLogger("educates") + + +@login_required +@roles_accepted("admin", "tenant") +async def api_get_v1_workshops(request: web.Request) -> web.Response: + """Returns a list of workshops available.""" + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + + # Get the tenant name from the query parameters. This is required when + # the client role is "tenant". + + tenant_name = request.query.get("tenant") + + client = request["remote_client"] + client_roles = request["client_roles"] + + if "tenant" in client_roles: + if not tenant_name: + logger.warning( + "Missing tenant name in request from client %r.", client.name + ) + + return web.Response(text="Missing tenant name", status=400) + + client = request["remote_client"] + + if not client.allowed_access_to_tenant(tenant_name): + return web.Response(text="Client not allowed access to tenant", status=403) + + # Work out the set of portals accessible by the specified tenant. + + if tenant_name: + tenant = tenant_database.get_tenant(tenant_name) + + if not tenant: + return web.Response(text="Tenant not available", status=503) + + accessible_portals = tenant.portals_which_are_accessible() + + else: + # Collect list of portals from all the clusters. + + accessible_portals = [] + + cluster_database = service_state.cluster_database + + for cluster in cluster_database.get_clusters(): + accessible_portals.extend(cluster.get_portals()) + + # Generate the list of workshops available to the user for this tenant which + # are in a running state. We need to eliminate any duplicates as a workshop + # may be available through multiple training portals. We use the title and + # description from the last found so we expect these to be consistent. + + workshops = {} + + for portal in accessible_portals: + for environment in portal.get_running_environments(): + workshops[environment.workshop] = { + "name": environment.workshop, + "title": environment.title, + "description": environment.description, + "labels": environment.labels, + } + + return web.json_response({"workshops": list(workshops.values())}) + + +@login_required +@roles_accepted("admin", "tenant") +async def api_post_v1_workshops(request: web.Request) -> web.Response: + """Returns a workshop session for the specified tenant and workshop.""" + + data = await request.json() + + client = request["remote_client"] + + tenant_name = data.get("tenantName") + + # TODO: Need to see how can use the action ID supplied by the client. At the + # moment we just log it. + + user_id = client.user or data.get("clientUserId") or "" + action_id = data.get("clientActionId") or "" # pylint: disable=unused-variable + index_url = data.get("clientIndexUrl") or "" + + workshop_name = data.get("workshopName") + parameters = data.get("workshopParams", []) + + logger.info( + "Workshop request from client %r for tenant %r, workshop %r, user %r, action %r", + client.name, + tenant_name, + workshop_name, + user_id, + action_id, + ) + + if not tenant_name: + logger.warning("Missing tenant name in request from client %r.", client.name) + + return web.Response(text="Missing tenantName", status=400) + + if not workshop_name: + logger.warning("Missing workshop name in request from client %r.", client.name) + + return web.Response(text="Missing workshopName", status=400) + + # Check that client is allowed access to this tenant. + + client = request["remote_client"] + + if not client.allowed_access_to_tenant(tenant_name): + logger.warning( + "Client %r not allowed access to tenant %r", client.name, tenant_name + ) + + return web.Response(text="Client not allowed access to tenant", status=403) + + # Find the portals accessible to the tenant which hosts the workshop. + + service_state = request.app["service_state"] + tenant_database = service_state.tenant_database + + tenant = tenant_database.get_tenant(tenant_name) + + if not tenant: + logger.error("Configuration for tenant %r could not be found", tenant_name) + + return web.Response(text="Tenant not available", status=503) + + # Get the list of portals hosting the workshop and calculate the subset + # that are accessible to the tenant. + + accessible_portals = tenant.portals_which_are_accessible() + + selected_portals = [] + + for portal in accessible_portals: + if portal.hosts_workshop(workshop_name): + selected_portals.append(portal) + + # If there are no resulting portals, then the workshop is not available to + # the tenant. + + if not selected_portals: + logger.warning( + "Workshop %s requested by client %r not available to tenant %r", + workshop_name, + client.name, + tenant_name, + ) + + return web.Response(text="Workshop not available", status=503) + + # If a user ID is supplied, check each of the portals to see if this user + # already has a workshop session for this workshop. + + if user_id: + for portal in selected_portals: + session = portal.find_existing_workshop_session_for_user( + user_id, workshop_name + ) + + if session: + data = await session.reacquire_workshop_session(index_url) + + if data: + data["tenantName"] = tenant_name + return web.json_response(data) + + # Find the set of workshop environments for the specified workshop that are + # in a running state. If there are no such environments, then the workshop + # is not available. + + environments = [] + + for portal in selected_portals: + for environment in portal.get_running_environments(): + if environment.workshop == workshop_name: + environments.append(environment) + + if not environments: + logger.warning( + "Workshop %r requested by client %r not available", + workshop_name, + client.name, + ) + + return web.Response(text="Workshop not available", status=503) + + # Sort the workshop environments so that those deemed to be the best + # candidates for running a workshop session are at the front of the list. + + environments = sort_workshop_environments(environments) + + # Loop over the workshop environments and try to allocate a session. + + for environment in environments: + data = await environment.request_workshop_session( + user_id, parameters, index_url + ) + + if data: + data["tenantName"] = tenant_name + return web.json_response(data) + + # If we get here, then we don't believe there is any available capacity for + # creating a workshop session. + + logger.warning( + "Workshop %r requested by client %r not available", workshop_name, client.name + ) + + return web.Response(text="Workshop not available", status=503) + + +def sort_workshop_environments( + environments: List[WorkshopEnvironment], +) -> List[WorkshopEnvironment]: + """Sort the list of workshop environments such that those deemed to be the + best candidates for running a workshop session are at the front of the + list.""" + + def score_based_on_portal_availability(environment: WorkshopEnvironment) -> int: + """Return a score based on the remaining capacity of the portal hosting + the workshop environment. Note that at this point we only return 0 or 1 + indicating whether there is any capacity left or not and not how much + capacity.""" + + # If the portal doesn't have a maximum capacity specified and as such + # there is no limit to the number of workshop sessions return 1. + + if not environment.portal.capacity: + return 1 + + # If the portal has a maximum capacity specified and there is no more + # capacity left, return 0. + + if environment.portal.capacity - environment.portal.allocated <= 0: + return 0 + + # Otherwise return 1 indicating there is capacity. + + return 1 + + def score_based_on_environment_availability( + environment: WorkshopEnvironment, + ) -> int: + """Return a score based on the remaining capacity of the workshop + environment. Note that at this point we only return 0 or 1 indicating + whether there is any capacity left or not and not how much capacity.""" + + # If the environment doesn't have a maximum capacity specified and as + # such there is no limit to the number of workshop sessions return 1. + + if not environment.capacity: + return 1 + + # If the environment has a maximum capacity specified and there is no + # more capacity left, return 0. + + if environment.capacity - environment.allocated <= 0: + return 0 + + # Otherwise return 1 indicating there is capacity. + + return 1 + + def score_based_on_reserved_sessions(environment: WorkshopEnvironment) -> int: + """Return a score based on the number of reserved sessions currently + available for the workshop environment. Where as we didn't before, we + also take into account the actual available capacity of the portal + hosting the workshop environment.""" + + # If the portal doesn't have a maximum capacity specified we treat it + # as if there is only 1 spot left so that we give priority to portals + # that do specify an actual capacity. + + capacity = 1 + + if environment.portal.capacity: + capacity = environment.portal.capacity - environment.portal.allocated + + # Return the capacity of the portal in conjunction with the number of + # reserved sessions which are currently available. + + return (capacity, environment.available) + + def score_based_on_available_capacity(environment: WorkshopEnvironment) -> int: + """Return a score based on the available capacity of the workshop + environment. Where as we didn't before, we also take into account the + actual available capacity of the portal hosting the workshop + environment.""" + + # If the portal doesn't have a maximum capacity specified we treat it + # as if there is only 1 spot left so that we give priority to portals + # that do specify an actual capacity. + + capacity = 1 + + if environment.portal.capacity: + capacity = environment.portal.capacity - environment.portal.allocated + + # If the environment doesn't have a maximum capacity specified we treat + # it as if there is only 1 spot left so that we give priority to + # environments that do specify an actual capacity. + + if not environment.capacity: + return (capacity, 1) + + # Return the capacity of the portal in conjunction with the available + # capacity of the workshop environment. + + return (capacity, environment.capacity - environment.allocated) + + return sorted( + environments, + key=lambda environment: ( + score_based_on_portal_availability(environment), + score_based_on_environment_availability(environment), + score_based_on_reserved_sessions(environment), + score_based_on_available_capacity(environment), + ), + reverse=True, + ) + + +# Set up the routes for the workshop management API. + +routes = [ + web.get("/api/v1/workshops", api_get_v1_workshops), + web.post("/api/v1/workshops", api_post_v1_workshops), +] diff --git a/lookup-service/service/service.py b/lookup-service/service/service.py new file mode 100644 index 000000000..5d5aff658 --- /dev/null +++ b/lookup-service/service/service.py @@ -0,0 +1,21 @@ +"""Custom operator context object for the service.""" + +from dataclasses import dataclass + +from .caches.databases import ( + ClientDatabase, + TenantDatabase, + ClusterDatabase, +) + + +@dataclass +class ServiceState: + """Custom operator context object for the service.""" + + client_database: ClientDatabase + tenant_database: TenantDatabase + cluster_database: ClusterDatabase + + def __copy__(self) -> "ServiceState": + return self diff --git a/lookup-service/start-service.sh b/lookup-service/start-service.sh new file mode 100755 index 000000000..37bdaccf0 --- /dev/null +++ b/lookup-service/start-service.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# Start the service. + +exec python -m service.main diff --git a/package-repository/.imgpkg/bundle.yml b/package-repository/.imgpkg/bundle.yml index d6872b5a3..b54f590d2 100644 --- a/package-repository/.imgpkg/bundle.yml +++ b/package-repository/.imgpkg/bundle.yml @@ -4,7 +4,9 @@ kind: Bundle metadata: name: educates authors: -- name: Graham Dumpleton - email: gdumpleton@vmware.com + - name: Graham Dumpleton + email: graham.dumpleton@broadcom.com + - name: Jorge Morales + email: jorge.morales@broadcom.com websites: -- url: github.com/vmware-tanzu-labs/educates-package-repository + - url: github.com/vmware-tanzu-labs/educates-package-repository diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.1.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.1.yaml deleted file mode 100644 index e43a8515e..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.1 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.1 - releasedAt: "2022-06-29T00:53:03Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.1 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.10.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.10.yaml deleted file mode 100644 index 7e8a4b634..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.10.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.10 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.10 - releasedAt: "2023-01-22T04:48:18Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.10 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.12.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.12.yaml deleted file mode 100644 index 3e73e8aeb..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.12.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.12 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.12 - releasedAt: "2023-01-22T08:35:48Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.12 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.2.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.2.yaml deleted file mode 100644 index 8489a3985..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.2.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.2 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.2 - releasedAt: "2022-07-07T04:47:54Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.2 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.4.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.4.yaml deleted file mode 100644 index c9acfa1aa..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.4.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.4 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.4 - releasedAt: "2022-07-13T23:42:13Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.4 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.5.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.5.yaml deleted file mode 100644 index 049d1bf20..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.5.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.5 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.5 - releasedAt: "2022-07-14T07:12:24Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.5 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.6.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.6.yaml deleted file mode 100644 index cdd760585..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.6.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.6 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.6 - releasedAt: "2022-07-20T06:40:27Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.6 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.7.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.7.yaml deleted file mode 100644 index 9b89d0728..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.7.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.7 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.7 - releasedAt: "2022-07-28T02:09:52Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.7 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.8.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.8.yaml deleted file mode 100644 index 9b8f6e1d3..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.8.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.8 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.8 - releasedAt: "2022-07-29T05:53:18Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.8 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.9.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.9.yaml deleted file mode 100644 index 715740885..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.9.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.0.9 -spec: - refName: cluster-essentials.educates.dev - version: 2.0.9 - releasedAt: "2023-01-22T00:47:00Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.9 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.1.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.1.0.yaml deleted file mode 100644 index 96e218862..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.1.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.1.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.1.0 - releasedAt: "2023-03-14T02:01:30Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.1.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.0.yaml deleted file mode 100644 index 925af0874..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.2.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.2.0 - releasedAt: "2023-04-26T09:10:00Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.2.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.1.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.1.yaml deleted file mode 100644 index 67ca51a13..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.2.1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.2.1 -spec: - refName: cluster-essentials.educates.dev - version: 2.2.1 - releasedAt: "2023-05-04T01:59:15Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.2.1 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.3.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.3.0.yaml deleted file mode 100644 index ada79bdb6..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.3.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.3.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.3.0 - releasedAt: "2023-05-16T03:12:26Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.3.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.0.yaml deleted file mode 100644 index 6f877aabf..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.4.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.4.0 - releasedAt: "2023-05-24T08:07:31Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.4.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.1.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.1.yaml deleted file mode 100644 index f5c5df4c9..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.4.1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.4.1 -spec: - refName: cluster-essentials.educates.dev - version: 2.4.1 - releasedAt: "2023-05-26T06:31:46Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.4.1 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.0.yaml deleted file mode 100644 index 671f15f2b..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.0 - releasedAt: "2023-06-05T09:15:55Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.1.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.1.yaml deleted file mode 100644 index 21b42ac89..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.1 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.1 - releasedAt: "2023-06-16T13:58:08Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.1 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.2.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.2.yaml deleted file mode 100644 index 9d690d5b3..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.2.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.2 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.2 - releasedAt: "2023-06-26T10:10:54Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.2 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.3.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.3.yaml deleted file mode 100644 index 2421097ec..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.3.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.3 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.3 - releasedAt: "2023-07-13T22:28:54Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.3 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.4.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.4.yaml deleted file mode 100644 index da70a35e6..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.4.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.4 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.4 - releasedAt: "2023-07-21T01:33:24Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.4 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.5.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.5.yaml deleted file mode 100644 index a0be49bed..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.5.5.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.5.5 -spec: - refName: cluster-essentials.educates.dev - version: 2.5.5 - releasedAt: "2023-08-20T10:26:49Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.5.5 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.0.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.0.yaml deleted file mode 100644 index b174b1493..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.0.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.0 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.0 - releasedAt: "2023-08-18T02:51:03Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.0 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.1.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.1.yaml deleted file mode 100644 index d97dfb36a..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.1 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.1 - releasedAt: "2023-08-18T12:03:22Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.1 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.10.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.10.yaml deleted file mode 100644 index 0906b14b7..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.10.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.10 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.10 - releasedAt: "2023-09-14T02:27:30Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.10 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.11.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.11.yaml deleted file mode 100644 index 3e8d782a5..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.11.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.11 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.11 - releasedAt: "2023-09-17T09:27:10Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.11 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.12.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.12.yaml deleted file mode 100644 index dc847d948..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.12.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.12 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.12 - releasedAt: "2023-09-19T11:57:33Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.12 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.13.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.13.yaml deleted file mode 100644 index 954698e19..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.13.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.13 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.13 - releasedAt: "2023-09-21T13:56:44Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.13 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.14.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.14.yaml deleted file mode 100644 index 709bd05e2..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.14.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.14 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.14 - releasedAt: "2023-09-25T03:26:16Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.14 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.15.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.15.yaml deleted file mode 100644 index b7f490b87..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.15.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.15 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.15 - releasedAt: "2023-10-03T01:42:00Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.15 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.16.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.16.yaml deleted file mode 100644 index c1c198840..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.16.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.16 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.16 - releasedAt: "2023-10-13T06:56:48Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.16 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.2.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.2.yaml deleted file mode 100644 index b1933a8ad..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.2.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.2 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.2 - releasedAt: "2023-08-20T01:40:20Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.2 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.3.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.3.yaml deleted file mode 100644 index fcdedf147..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.3.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.3 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.3 - releasedAt: "2023-08-22T03:09:46Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.3 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.4.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.4.yaml deleted file mode 100644 index d99d6388b..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.4.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.4 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.4 - releasedAt: "2023-08-22T11:57:34Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.4 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.5.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.5.yaml deleted file mode 100644 index 013ca0546..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.5.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.5 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.5 - releasedAt: "2023-08-25T03:42:08Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.5 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.6.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.6.yaml deleted file mode 100644 index fbced57d1..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.6.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.6 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.6 - releasedAt: "2023-08-30T07:18:45Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.6 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.7.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.7.yaml deleted file mode 100644 index 6c6b4fbb9..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.7.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.7 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.7 - releasedAt: "2023-09-01T07:30:55Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.7 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.8.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.8.yaml deleted file mode 100644 index 4e82b67af..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.8.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.8 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.8 - releasedAt: "2023-09-08T08:51:22Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.8 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.9.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.9.yaml deleted file mode 100644 index 358194a14..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.6.9.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: cluster-essentials.educates.dev.2.6.9 -spec: - refName: cluster-essentials.educates.dev - version: 2.6.9 - releasedAt: "2023-09-11T03:24:35Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - clusterPackages: - type: object - additionalProperties: false - properties: - contour: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - kyverno: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: true - settings: - nullable: true - default: {} - metacontroller: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - settings: - nullable: true - default: {} - clusterInfrastructure: - type: object - additionalProperties: false - properties: - provider: - type: string - default: "" - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.6.9 - template: - - ytt: - paths: - - config - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.3.yaml b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.7.2.yaml similarity index 94% rename from package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.3.yaml rename to package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.7.2.yaml index 53b016f39..23c92479d 100644 --- a/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.0.3.yaml +++ b/package-repository/packages/cluster-essentials.educates.dev/educates-cluster-essentials-2.7.2.yaml @@ -1,11 +1,11 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: cluster-essentials.educates.dev.2.0.3 + name: cluster-essentials.educates.dev.2.7.2 spec: refName: cluster-essentials.educates.dev - version: 2.0.3 - releasedAt: "2022-07-12T06:10:05Z" + version: 2.7.2 + releasedAt: "2024-06-14T12:15:31Z" valuesSchema: openAPIv3: type: object @@ -63,7 +63,7 @@ spec: spec: fetch: - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.0.3 + image: ghcr.io/vmware-tanzu-labs/educates-cluster-essentials:2.7.2 template: - ytt: paths: diff --git a/package-repository/packages/cluster-essentials.educates.dev/metadata.yaml b/package-repository/packages/cluster-essentials.educates.dev/metadata.yaml deleted file mode 100644 index 8ed042ccd..000000000 --- a/package-repository/packages/cluster-essentials.educates.dev/metadata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: PackageMetadata -metadata: - name: cluster-essentials.educates.dev - namespace: default -spec: - displayName: "Educates Cluster Essentials" - shortDescription: "Set of packages required to be installed to the cluster for Educates." - providerName: VMware - maintainers: - - name: "Graham Dumpleton" diff --git a/package-repository/packages/installer.educates.dev/metadata.yaml b/package-repository/packages/installer.educates.dev/metadata.yaml new file mode 100644 index 000000000..b665b3efa --- /dev/null +++ b/package-repository/packages/installer.educates.dev/metadata.yaml @@ -0,0 +1,12 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: PackageMetadata +metadata: + name: installer.educates.dev + namespace: default +spec: + displayName: "Educates Training Platform Installer" + shortDescription: "Installer for Educates, a platform for hosting interactive workshop environments in Kubernetes." + providerName: VMware + maintainers: + - name: "Graham Dumpleton" + - name: "Jorge Morales" diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.1.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.1.yaml deleted file mode 100644 index aecca892f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.1.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.1 -spec: - refName: training-platform.educates.dev - version: 2.0.1 - releasedAt: "2022-06-29T00:53:07Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.1 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.10.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.10.yaml deleted file mode 100644 index 14b1ace13..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.10.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.10 -spec: - refName: training-platform.educates.dev - version: 2.0.10 - releasedAt: "2023-01-22T04:48:23Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.10 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.12.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.12.yaml deleted file mode 100644 index 0ee3956cf..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.12.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.12 -spec: - refName: training-platform.educates.dev - version: 2.0.12 - releasedAt: "2023-01-22T08:35:55Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.12 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.2.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.2.yaml deleted file mode 100644 index 067810e50..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.2.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.2 -spec: - refName: training-platform.educates.dev - version: 2.0.2 - releasedAt: "2022-07-07T04:47:57Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.2 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.3.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.3.yaml deleted file mode 100644 index b97a96f2a..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.3.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.3 -spec: - refName: training-platform.educates.dev - version: 2.0.3 - releasedAt: "2022-07-12T06:10:13Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.3 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.4.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.4.yaml deleted file mode 100644 index 50e0f9d8f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.4.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.4 -spec: - refName: training-platform.educates.dev - version: 2.0.4 - releasedAt: "2022-07-13T23:42:18Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.4 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.5.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.5.yaml deleted file mode 100644 index 65d4e5ac1..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.5.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.5 -spec: - refName: training-platform.educates.dev - version: 2.0.5 - releasedAt: "2022-07-14T07:12:33Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.5 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.6.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.6.yaml deleted file mode 100644 index bf5b4c4a2..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.6.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.6 -spec: - refName: training-platform.educates.dev - version: 2.0.6 - releasedAt: "2022-07-20T06:40:32Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.6 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.7.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.7.yaml deleted file mode 100644 index 53535b08f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.7.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.7 -spec: - refName: training-platform.educates.dev - version: 2.0.7 - releasedAt: "2022-07-28T02:10:01Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.7 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.8.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.8.yaml deleted file mode 100644 index 0feb7f66d..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.8.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.8 -spec: - refName: training-platform.educates.dev - version: 2.0.8 - releasedAt: "2022-07-29T05:53:23Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.8 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.9.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.9.yaml deleted file mode 100644 index 3beae240b..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.0.9.yaml +++ /dev/null @@ -1,314 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.0.9 -spec: - refName: training-platform.educates.dev - version: 2.0.9 - releasedAt: "2023-01-22T00:47:06Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - rootless: - type: boolean - default: false - privileged: - type: boolean - default: true - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.0.9 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.1.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.1.0.yaml deleted file mode 100644 index 5a2051711..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.1.0.yaml +++ /dev/null @@ -1,315 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.1.0 -spec: - refName: training-platform.educates.dev - version: 2.1.0 - releasedAt: "2023-03-14T02:01:37Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.1.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.0.yaml deleted file mode 100644 index 4d4f512f1..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.0.yaml +++ /dev/null @@ -1,315 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.2.0 -spec: - refName: training-platform.educates.dev - version: 2.2.0 - releasedAt: "2023-04-26T09:10:08Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.2.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.1.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.1.yaml deleted file mode 100644 index 298d3c845..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.2.1.yaml +++ /dev/null @@ -1,315 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.2.1 -spec: - refName: training-platform.educates.dev - version: 2.2.1 - releasedAt: "2023-05-04T01:59:21Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.2.1 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.3.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.3.0.yaml deleted file mode 100644 index 00363136f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.3.0.yaml +++ /dev/null @@ -1,352 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.3.0 -spec: - refName: training-platform.educates.dev - version: 2.3.0 - releasedAt: "2023-05-16T03:12:32Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.3.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.0.yaml deleted file mode 100644 index 8396891df..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.0.yaml +++ /dev/null @@ -1,375 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.4.0 -spec: - refName: training-platform.educates.dev - version: 2.4.0 - releasedAt: "2023-05-24T08:07:35Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.4.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.1.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.1.yaml deleted file mode 100644 index 931736dbf..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.4.1.yaml +++ /dev/null @@ -1,375 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.4.1 -spec: - refName: training-platform.educates.dev - version: 2.4.1 - releasedAt: "2023-05-26T06:31:51Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.4.1 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.0.yaml deleted file mode 100644 index a2c8cd541..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.0.yaml +++ /dev/null @@ -1,375 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.0 -spec: - refName: training-platform.educates.dev - version: 2.5.0 - releasedAt: "2023-06-05T09:15:58Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.1.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.1.yaml deleted file mode 100644 index 905eff610..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.1.yaml +++ /dev/null @@ -1,375 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.1 -spec: - refName: training-platform.educates.dev - version: 2.5.1 - releasedAt: "2023-06-16T13:58:13Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.1 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.2.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.2.yaml deleted file mode 100644 index e28a92995..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.2.yaml +++ /dev/null @@ -1,375 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.2 -spec: - refName: training-platform.educates.dev - version: 2.5.2 - releasedAt: "2023-06-26T10:10:57Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.2 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.3.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.3.yaml deleted file mode 100644 index 7288e91d7..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.3.yaml +++ /dev/null @@ -1,382 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.3 -spec: - refName: training-platform.educates.dev - version: 2.5.3 - releasedAt: "2023-07-13T22:29:02Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.3 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.4.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.4.yaml deleted file mode 100644 index 0d98296de..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.4.yaml +++ /dev/null @@ -1,382 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.4 -spec: - refName: training-platform.educates.dev - version: 2.5.4 - releasedAt: "2023-07-21T01:33:30Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.4 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.5.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.5.yaml deleted file mode 100644 index 0461f3260..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.5.5.yaml +++ /dev/null @@ -1,382 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.5.5 -spec: - refName: training-platform.educates.dev - version: 2.5.5 - releasedAt: "2023-08-20T10:26:52Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.5.5 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.0.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.0.yaml deleted file mode 100644 index 4310c3e5c..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.0.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.0 -spec: - refName: training-platform.educates.dev - version: 2.6.0 - releasedAt: "2023-08-18T02:51:06Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.0 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.1.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.1.yaml deleted file mode 100644 index d31ba9808..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.1.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.1 -spec: - refName: training-platform.educates.dev - version: 2.6.1 - releasedAt: "2023-08-18T12:03:25Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.1 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.10.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.10.yaml deleted file mode 100644 index ee91c45f5..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.10.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.10 -spec: - refName: training-platform.educates.dev - version: 2.6.10 - releasedAt: "2023-09-14T02:27:33Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.10 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.11.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.11.yaml deleted file mode 100644 index b66e636d8..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.11.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.11 -spec: - refName: training-platform.educates.dev - version: 2.6.11 - releasedAt: "2023-09-17T09:27:13Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.11 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.13.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.13.yaml deleted file mode 100644 index bcc621957..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.13.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.13 -spec: - refName: training-platform.educates.dev - version: 2.6.13 - releasedAt: "2023-09-21T13:56:50Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.13 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.14.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.14.yaml deleted file mode 100644 index 3b2fd3286..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.14.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.14 -spec: - refName: training-platform.educates.dev - version: 2.6.14 - releasedAt: "2023-09-25T03:26:23Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.14 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.15.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.15.yaml deleted file mode 100644 index 1cb0815cf..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.15.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.15 -spec: - refName: training-platform.educates.dev - version: 2.6.15 - releasedAt: "2023-10-03T01:42:05Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.15 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.16.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.16.yaml deleted file mode 100644 index 1f963f6cc..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.16.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.16 -spec: - refName: training-platform.educates.dev - version: 2.6.16 - releasedAt: "2023-10-13T06:56:54Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.test - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.16 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.2.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.2.yaml deleted file mode 100644 index 471281c8a..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.2.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.2 -spec: - refName: training-platform.educates.dev - version: 2.6.2 - releasedAt: "2023-08-20T01:40:23Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.2 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.3.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.3.yaml deleted file mode 100644 index f332ee5dc..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.3.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.3 -spec: - refName: training-platform.educates.dev - version: 2.6.3 - releasedAt: "2023-08-22T03:09:49Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.3 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.4.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.4.yaml deleted file mode 100644 index 995d138e0..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.4.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.4 -spec: - refName: training-platform.educates.dev - version: 2.6.4 - releasedAt: "2023-08-22T11:57:37Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.4 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.5.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.5.yaml deleted file mode 100644 index 5e41b6d0f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.5.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.5 -spec: - refName: training-platform.educates.dev - version: 2.6.5 - releasedAt: "2023-08-25T03:42:15Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.5 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.6.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.6.yaml deleted file mode 100644 index f174b9c1f..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.6.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.6 -spec: - refName: training-platform.educates.dev - version: 2.6.6 - releasedAt: "2023-08-30T07:18:49Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.6 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.7.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.7.yaml deleted file mode 100644 index 55f7a25e0..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.7.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.7 -spec: - refName: training-platform.educates.dev - version: 2.6.7 - releasedAt: "2023-09-01T07:31:02Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.7 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.8.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.8.yaml deleted file mode 100644 index 770e10602..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.8.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.8 -spec: - refName: training-platform.educates.dev - version: 2.6.8 - releasedAt: "2023-09-08T08:51:26Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.8 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.9.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.9.yaml deleted file mode 100644 index 4f125d0b5..000000000 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.9.yaml +++ /dev/null @@ -1,391 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: Package -metadata: - name: training-platform.educates.dev.2.6.9 -spec: - refName: training-platform.educates.dev - version: 2.6.9 - releasedAt: "2023-09-11T03:24:39Z" - valuesSchema: - openAPIv3: - type: object - additionalProperties: false - properties: - version: - type: string - default: latest - operator: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: educates - apiGroup: - type: string - default: educates.dev - statusKey: - type: string - default: educates - namePrefix: - type: string - default: educates - imageRegistry: - type: object - additionalProperties: false - properties: - host: - type: string - default: "" - namespace: - type: string - default: "" - imageVersions: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - image: - type: string - default: "" - default: [] - clusterRuntime: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - clusterIngress: - type: object - additionalProperties: false - properties: - domain: - type: string - default: educates-local-dev.xyz - class: - type: string - default: "" - protocol: - type: string - default: "" - tlsCertificate: - type: object - additionalProperties: false - properties: - tls.crt: - type: string - default: "" - tls.key: - type: string - default: "" - tlsCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caCertificate: - type: object - additionalProperties: false - properties: - ca.crt: - type: string - default: "" - caCertificateRef: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - caNodeInjector: - type: object - additionalProperties: false - properties: - enabled: - type: boolean - default: false - sessionCookies: - type: object - additionalProperties: false - properties: - domain: - type: string - default: "" - clusterStorage: - type: object - additionalProperties: false - properties: - class: - type: string - default: "" - user: - type: integer - nullable: true - default: null - group: - type: integer - default: 1 - clusterSecrets: - type: object - additionalProperties: false - properties: - pullSecretRefs: - type: array - items: - type: object - additionalProperties: false - properties: - namespace: - type: string - default: "" - name: - type: string - default: "" - default: [] - clusterSecurity: - type: object - additionalProperties: false - properties: - policyEngine: - type: string - default: none - workshopSecurity: - type: object - additionalProperties: false - properties: - rulesEngine: - type: string - default: kyverno - trainingPortal: - type: object - additionalProperties: false - properties: - credentials: - type: object - additionalProperties: false - properties: - admin: - type: object - additionalProperties: false - properties: - username: - type: string - default: educates - password: - type: string - nullable: true - default: null - robot: - type: object - additionalProperties: false - properties: - username: - type: string - default: robot@educates - password: - type: string - nullable: true - default: null - clients: - type: object - additionalProperties: false - properties: - robot: - type: object - additionalProperties: false - properties: - id: - type: string - nullable: true - default: null - secret: - type: string - nullable: true - default: null - dockerDaemon: - type: object - additionalProperties: false - properties: - networkMTU: - type: integer - default: 1400 - proxyCache: - type: object - additionalProperties: false - properties: - remoteURL: - type: string - default: "" - username: - type: string - default: "" - password: - type: string - default: "" - clusterNetwork: - type: object - additionalProperties: false - properties: - blockCIDRs: - type: array - items: - type: string - default: "" - default: - - 169.254.169.254/32 - - fd00:ec2::254/128 - workshopAnalytics: - type: object - additionalProperties: false - properties: - google: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - clarity: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - amplitude: - type: object - additionalProperties: false - properties: - trackingId: - type: string - default: "" - webhook: - type: object - additionalProperties: false - properties: - url: - type: string - default: "" - websiteStyling: - type: object - additionalProperties: false - properties: - workshopDashboard: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopInstructions: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - workshopStarted: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - workshopFinished: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - trainingPortal: - type: object - additionalProperties: false - properties: - html: - type: string - default: "" - script: - type: string - default: "" - style: - type: string - default: "" - defaultTheme: - type: string - default: "" - themeDataRefs: - type: array - items: - type: object - additionalProperties: false - properties: - name: - type: string - default: "" - namespace: - type: string - default: "" - default: [] - frameAncestors: - type: array - items: - type: string - default: "" - default: [] - imagePuller: - type: object - additionalProperties: false - properties: - prePullImages: - type: array - items: - type: string - default: "" - default: - - base-environment - template: - spec: - fetch: - - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.9 - template: - - ytt: - paths: - - config - - kbld-bundle.yaml - valuesFrom: - - path: kbld-images.yaml - - kbld: - paths: - - .imgpkg/images.yml - - '-' - deploy: - - kapp: - rawOptions: - - --app-changes-max-to-keep=5 diff --git a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.12.yaml b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.7.2.yaml similarity index 98% rename from package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.12.yaml rename to package-repository/packages/training-platform.educates.dev/educates-training-platform-2.7.2.yaml index 1fcbd85e1..ecaf693fc 100644 --- a/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.6.12.yaml +++ b/package-repository/packages/training-platform.educates.dev/educates-training-platform-2.7.2.yaml @@ -1,11 +1,11 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: training-platform.educates.dev.2.6.12 + name: training-platform.educates.dev.2.7.2 spec: refName: training-platform.educates.dev - version: 2.6.12 - releasedAt: "2023-09-19T11:57:36Z" + version: 2.7.2 + releasedAt: "2024-06-14T12:15:35Z" valuesSchema: openAPIv3: type: object @@ -373,7 +373,7 @@ spec: spec: fetch: - imgpkgBundle: - image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.6.12 + image: ghcr.io/vmware-tanzu-labs/educates-training-platform:2.7.2 template: - ytt: paths: diff --git a/package-repository/packages/training-platform.educates.dev/metadata.yaml b/package-repository/packages/training-platform.educates.dev/metadata.yaml deleted file mode 100644 index bf89a2c55..000000000 --- a/package-repository/packages/training-platform.educates.dev/metadata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: data.packaging.carvel.dev/v1alpha1 -kind: PackageMetadata -metadata: - name: training-platform.educates.dev - namespace: default -spec: - displayName: "Educates Training Platform" - shortDescription: "A platform for hosting interactive workshop environments in Kubernetes." - providerName: VMware - maintainers: - - name: "Graham Dumpleton" diff --git a/project-docs/conf.py b/project-docs/conf.py index 7896e42e9..c03c545d3 100644 --- a/project-docs/conf.py +++ b/project-docs/conf.py @@ -32,7 +32,9 @@ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ - 'myst_parser' + 'myst_parser', + 'sphinx_copybutton', + 'sphinx_design' ] # Add any paths that contain templates here, relative to this directory. @@ -57,3 +59,6 @@ # so a file named "default.css" will overwrite the builtin "default.css". #html_static_path = ['_static'] html_static_path = [] + +# Extensions for myst_parser. +myst_enable_extensions = ["colon_fence"] diff --git a/project-docs/custom-resources/training-portal.md b/project-docs/custom-resources/training-portal.md index 17431e8af..44a8034d4 100644 --- a/project-docs/custom-resources/training-portal.md +++ b/project-docs/custom-resources/training-portal.md @@ -182,6 +182,19 @@ spec: When a name conflict occurs, the value of this label will override any value specified in the workshop default section, or the workshop definition. +Labels for the training portal +------------------------------ + +As well as being able to provide additional labels for individual workshops, it is also possible to add labels to the training portal. These labels are distinct from labels added to metadata for Kubernetes resources and are specific to Educates. They can be used by a lookup service to identify the purpose of training portals. + +```yaml +spec: + portal: + labels: + - name: environment + value: staging +``` + Setting caps on individual users -------------------------------- @@ -252,7 +265,7 @@ The time period is calculated from when the workshop session is allocated to a u When an expiration period is specified, when a user finishes a workshop, or restarts the workshop, it will also be deleted. -To cope with users who grab a workshop session, but then leave and don't actually use it, you can also set a time period for when a workshop session with no activity is deemed as being orphaned and so deleted. This is done using the ``orphaned`` setting. +To deal with users who are allocated a workshop session, but then close the browser page or otherwise hide or minimise the browser page and thus do not interact with the workshop, you can also set a time period for when a workshop session with no activity is deemed as being orphaned and so deleted. This is done using the ``orphaned`` setting. ```yaml spec: @@ -264,6 +277,8 @@ spec: orphaned: 5m ``` +This will be triggered in the first instance after the specified period for the case of the browser page having being closed, with the workshop session being automatically terminated. In other words, if specified as `5m`, then five minutes after the browser page is closed, the workshop session will be terminated. This automatic termination of a workshop session will also be applied in a second instance, where the browser page is hidden or minimized for a period 3 times the specified orphaned period. In other words, if specified as `5m`, a browser page which had been hidden and was not being interacted with, will be terminated after 15 minutes. + For supervised workshops where the whole event only lasts a certain amount of time, you should avoid this setting so that a users session is not deleted when they take breaks and their computer goes to sleep. When the period of time specified by ``expires`` is reached the workshop session will be terminated and deleted. If you want to allow the duration of the workshop to be extended, you can in addition to ``expires`` set a maximum time deadline for the workshop. This will allow a workshop user to give themselves more time by clicking on the countdown timer of the workshop dashboard when the timer displays as orange. The time can also be extended from the admin pages of the training portal. diff --git a/project-docs/custom-resources/workshop-definition.md b/project-docs/custom-resources/workshop-definition.md index 514885ed1..ddd3c8a3f 100644 --- a/project-docs/custom-resources/workshop-definition.md +++ b/project-docs/custom-resources/workshop-definition.md @@ -1324,7 +1324,7 @@ spec: registries: - content: - destination: /lab-k8s-fundamentals-files - prefix: /vmware-tanzu-labs/lab-k8s-fundamentals-files + prefix: /educates/lab-k8s-fundamentals-files stripPrefix: true onDemand: true urls: @@ -2561,13 +2561,14 @@ If you need access to the raw registry host details and credentials, they are pr * ``REGISTRY_AUTH_FILE`` - Contains the location of the ``docker`` configuration file. Should always be the equivalent of ``$HOME/.docker/config.json``. * ``REGISTRY_USERNAME`` - Contains the username for accessing the image registry. * ``REGISTRY_PASSWORD`` - Contains the password for accessing the image registry. This will be different for each workshop session. +* ``REGISTRY_AUTH_TOKEN`` - Contains username and password for accessing the image registry, separated by a colon and base64 encoded. * ``REGISTRY_SECRET`` - Contains the name of a Kubernetes secret of type ``kubernetes.io/dockerconfigjson`` added to the session namespace and which contains the registry credentials. The URL for accessing the image registry adopts the HTTP protocol scheme inherited from the environment variable ``INGRESS_PROTOCOL``. This would be the same HTTP protocol scheme as the workshop sessions themselves use. -If you want to use any of the variables in workshop content, use the same variable name but in lower case. Thus, ``registry_host``, ``registry_auth_file``, ``registry_username``, ``registry_password`` and ``registry_secret``. +If you want to use any of the variables in workshop content, use the same variable name but in lower case. Thus, ``registry_host``, ``registry_auth_file``, ``registry_username``, ``registry_password``, ``registry_auth_token`` and ``registry_secret``. -The ``registry_host``, ``registry_username``, ``registry_password`` and ``registry_secret`` will also be available as additional session data variables you can use in the workshop definition. +The ``registry_host``, ``registry_username``, ``registry_password``, ``registry_auth_token`` and ``registry_secret`` will also be available as additional session data variables you can use in the workshop definition. (enabling-ability-to-use-docker)= Enabling ability to use docker diff --git a/project-docs/getting-started/creating-a-workshop.md b/project-docs/getting-started/creating-a-workshop.md index 587f3b8b6..b65032600 100644 --- a/project-docs/getting-started/creating-a-workshop.md +++ b/project-docs/getting-started/creating-a-workshop.md @@ -30,19 +30,21 @@ It is also recommended that workshop names always be prefixed with `lab-`. This Rendering of instructions ------------------------- -Educates currently supports two different renderers for workshop instructions. The first and original renderer for workshop instructions included in Educates is called the `classic` renderer. This is a custom dynamic web application for rendering the workshop instructions. It supports the use of Markdown or AsciiDoc. +Educates currently supports two different renderers for workshop instructions. -When you you ran `educates new-workshop` it defaulted to generating configuration and instructions files for Markdown using the `classic` renderer. +The preferred renderer is the `hugo` renderer. As the name suggests this makes use of [Hugo](https://gohugo.io/) to generate workshop instructions as static HTML files, using custom layouts provided by Educates. The implementation of the `hugo` renderer within Educates only supports the use of Markdown. -The second renderer for workshop instructions is the `hugo` renderer. As the name suggests this makes use of [Hugo](https://gohugo.io/) to generate workshop instructions as static HTML files, using custom layouts provided by Educates. Hugo only supports the use of Markdown. +When you ran `educates new-workshop` it defaulted to generating configuration and instructions files for Markdown using the `hugo` renderer. -If you want to generate a new workshop which uses the `hugo` renderer, run the `educates new-workshop` command as: +An older renderer for workshop instructions included in Educates is called the `classic` renderer. This is a custom dynamic web application for rendering the workshop instructions. It supports the use of Markdown or AsciiDoc. + +If you want to generate a new workshop which uses the `classic` renderer, run the `educates new-workshop` command as: ``` -educates new-workshop lab-new-workshop --template hugo +educates new-workshop lab-new-workshop --template classic ``` -The `hugo` renderer was introduced in Educates version 2.6.0. It is expected that in time the `classic` renderer will be deprecated and the `hugo` renderer will be the recommended option. +The `classic` renderer is deprecated and will in time be removed. If you have existing workshops which use the `classic` renderer, you should convert them to use the `hugo` renderer. Deploying new workshop ---------------------- @@ -91,17 +93,17 @@ Key sub directories and the files contained within them are: * ``resources`` - Directory under which Kubernetes custom resources are stored for deploying the workshop using Educates. * ``resources/workshop.yaml`` - The custom resource for Educates which describes your workshop and requirements it may have when being deployed. -If you are using the `classic` renderer for workshop instructions you would also have the following files: - -* ``workshop/modules.yaml`` - Configuration file with details of available modules which make up your workshop, and data variables for use in content. -* ``workshop/workshop.yaml`` - Configuration file which provides the name of the workshop, the list of active modules for the workshop, and any overrides for data variables. - -If you are using the `hugo` renderer, instead of ``workshop/modules.yaml`` and ``workshop/workshop.yaml`` you may optionally have the single file: +If you are using the `hugo` renderer you may optionally have the single file: * ``workshop/config.yaml`` - Configuration file with details of available modules which make up your workshop, data variables for use in content, and selectable paths through the workshop instructions. In the case of the `hugo` renderer, if `workshop/config.yaml` doesn't exist or no configuration is included within it, workshop instructions page ordering will be based on file name sort order, or page weights if defined in the meta data of pages. +If you are using the `classic` renderer for workshop instructions you would need to have the following files: + +* ``workshop/modules.yaml`` - Configuration file with details of available modules which make up your workshop, and data variables for use in content. +* ``workshop/workshop.yaml`` - Configuration file which provides the name of the workshop, the list of active modules for the workshop, and any overrides for data variables. + If your workshop instructions use images, if using the `classic` renderer, the images can be placed in the same directory as the Markdown or AsciiDoc files. If using the `hugo` renderer, you should follow the Hugo convention and place images in the `workshop/static` directory, or use page bundles and include the image for a page in the directory for the page bundle. A workshop may consist of other configuration files, and directories with other types of content, but this is the minimal set of files to get you started. diff --git a/project-docs/getting-started/local-environment.md b/project-docs/getting-started/local-environment.md index a5ff02475..e83684618 100644 --- a/project-docs/getting-started/local-environment.md +++ b/project-docs/getting-started/local-environment.md @@ -32,61 +32,54 @@ educates delete-cluster --all This will also delete the local image registry and DNS resolver if deployed. -Reinstalling Educates ---------------------- - -When you run the `educates create-cluster` command to create the local Kubernetes cluster, it will also install Educates. If you wish to delete and reinstall just Educates after the cluster has been created, first run: - -``` -educates admin platform delete -``` - -To deploy Educates again, you can then run: - -``` -educates admin platform deploy -``` - Custom configuration -------------------- -If you want to provide overrides to the automatically generated configuration for Educates, you can supply a YAML data values file via the `--config` option when running `educates create-cluster` or `educates admin platform deploy` commands. - -Alternatively, you can provide a global set of defaults for the YAML data values by running: +If you want to provide overrides to the automatically generated configuration for Educates you can provide a global set of defaults for the YAML data values by running: ``` -educates admin config edit +educates local config edit ``` -and entering the YAML data values. +and entering the YAML data values. This configuration will be automatically used when running `educates create-cluster`. -You can view what actual YAML data values will be used for the configuration when doing a deployment of Educates by running: +You can view what actual YAML data values will be used for this configuration when doing a deployment of Educates by running: ``` -educates admin config view +educates local config view ``` -The `--config` option can also be supplied to this command if desired. +You can also supply a YAML data values file via the `--config` option when running the `educates create-cluster` command, however by doing so any secrets in the local secrets cache will not be automatically copied to the cluster. Local image registry -------------------- When you run the `educates create-cluster` command to create the local Kubernetes cluster, it will also deploy an image registry to your local docker environment. This is used for storing workshop content files and custom workshop base images. The Educates command line tool can be used to publish the workshop content files to this image registry. -If you want to use the registry to store other images, you should tag your images with the registry host/port of `localhost:5001`, then push the image to the registry. If you want to pull images from the registry in deployments created in the Kubernetes cluster, you should use the registry host/port of `registry.default.svc.cluster.local` in the deployment resources created inside of the Kubernetes cluster. Within a workshop definition this can be referred to using the ``$(image_repository)`` variable reference. +If you want to use the registry to store other images, you should tag your images with the registry host/port of `localhost:5001`, then push the image to the registry. -So that the same host name is used on the local machine as in the cluster, you could if you want create an entry in the `/etc/hosts` file of you local machine for `registry.default.svc.cluster.local` which maps to `127.0.0.1`. +If you want to pull images from the registry in Kubernetes deployments created in the Kubernetes cluster, you can also use `localhost:5001` and it will be automatically mapped to the local image registry, with Kubernetes also trusting the local image registry. + +Should you need to pull images from the local image registry from inside of the cluster using tools such as `docker`, `imgpkg`, `oras` or `skopeo`, you will need to use the registry host of `registry.default.svc.cluster.local` instead. This also can be used for Kubernetes deployments as well. Whether you need to tell those tools to trust the image registry will depend on whether they automatically support use of HTTP for access when using `.local` addresses. + +Within a workshop definition the ``$(image_repository)`` variable reference will map to `registry.default.svc.cluster.local` and is the recommended way to refer to the local image registry. Workshop templates and the workshop publishing workflow are setup to use this variable rather than a hard coded reference. If you wish to delete and reinstall the registry after the cluster has been created, you can run: ``` -educates admin registry delete +educates local registry delete ``` To deploy the registry again, you can then run: ``` -educates admin registry deploy +educates local registry deploy +``` + +If you have successively pushed new builds of images to the local image registry using the same image version tag, the registry can blow out in size over time due to unreferenced image layers. To reclaim space consumed by these unreferenced image layers, you can run: + +``` +educates local registry prune ``` Custom ingress domain @@ -96,7 +89,7 @@ By default when deployed to the Kubernetes cluster of the local environment, Edu This works but because it is not possible to obtain an official trusted TLS certificate for a `nip.io` address, and as such it is not possible to use secure ingresses, some features of the workshop environment may not work. This includes the inability to use a per session image registry, which requires a secure ingress to be trusted by the Kubernetes cluster and other tools which work with registries. -Instead of relying on a `nip.io` address you can use your own domain that you control and for which you can generate yourself a wildcard TLS certificate. For example, you might own the domain `workshops.mydomain.com`, in which case you could use a wildcard TLS certificate for `*.workshops.mydomain.com`. You will also need to be able to configure DNS for the domain, or be able to set up a local DNS resolver on your local machine. +Instead of relying on a `nip.io` address you can use your own domain that you control and for which you can generate yourself a wildcard TLS certificate. For example, you might own the domain `educates-local-dev.test`, in which case you could use a wildcard TLS certificate for `*.educates-local-dev.test`. You will also need to be able to configure DNS for the domain, or be able to set up a local DNS resolver on your local machine. In using your own custom domain name, you could do it with a wildcard TLS certificate issued by a trusted registrar such as Lets Encrypt, or you could create a self signed certificate authority (CA) in order to create your own TLS certificate. If using a self signed CA, you will need to configure your operating system and Educates to use that CA. @@ -104,11 +97,15 @@ If you are using a self signed CA, you could technically still use the `nip.io` To use a custom ingress domain, when running `educates create-cluster` you can supply the `--domain` option to pass the domain name. -Alternatively, you can run `educates admin config edit` and add the configuration for the ingress domain as part of the global defaults. +``` +educates create-cluster --domain educates-local-dev.test +``` + +Alternatively, you can run `educates local config edit` and add the configuration for the ingress domain as part of the global defaults. ```yaml clusterIngress: - domain: educates-local-dev.xyz + domain: educates-local-dev.test ``` This will still only allow HTTP as is and will not use a secure ingress. If you want to use secure ingress you need to provide the corresponding wildcard TLS certificate. @@ -116,7 +113,7 @@ This will still only allow HTTP as is and will not use a secure ingress. If you If you had used certbot and Lets Encrypt to create a wildcard TLS certificate using a DNS challenge, you could then configure Educates to know about it and use it by running: ``` -educates admin secrets add tls ${INGRESS_DOMAIN}-tls \ +educates local secrets add tls ${INGRESS_DOMAIN}-tls \ --cert $HOME/.letsencrypt/config/live/${INGRESS_DOMAIN}/fullchain.pem \ --key $HOME/.letsencrypt/config/live/${INGRESS_DOMAIN}/privkey.pem \ --domain ${INGRESS_DOMAIN} @@ -127,14 +124,14 @@ The `--domain` option must be used to indicate the domain the wildcard TLS certi If the wildcard TLS certificate is self signed using your own certificate authority (CA) certificate, you would still use the above command to add the TLS certificate for Educates to use, but supply the location of where you had saved the corresponding files. You can then provide the CA certificate for Educates to use by running: ``` -educates admin secrets add ca ${INGRESS_DOMAIN}-ca \ +educates local secrets add ca ${INGRESS_DOMAIN}-ca \ --cert "`mkcert -CAROOT`/rootCA.pem" \ --domain ${INGRESS_DOMAIN} ``` In this example, it was assumed that ``mkcert`` had been used to create the CA certificate and wildcard TLS certificate and thus we run ``mkcert`` to determine where the CA certificate was stored. -Now when Educates is deployed using `educates create-cluster`, or later if using `educates admin platform deploy` to reinstall Educates, this custom ingress domain and wildcard TLS certificate, and optionally the CA certificate if one provided, will be used. +These secrets will be automatically copied to the local Kubernetes cluster when running `educates create-cluster` provided that the `--config` is not being used. Note that DNS still needs to be configured to map using a CNAME the wildcard domain to the IP address of your local host machine where the Kubernetes cluster is running. This could be done by modifying your actual DNS registry, or you can run a local DNS resolver. If doing this in your global DNS registry, it doesn't matter that the IP address is a local network address which is not accessible to the internet, although depending on what internet router you use for a home network, you may need to disable DNS rebinding protection in your router for the domain. @@ -146,7 +143,7 @@ The alternative to setting up a global DNS registry to map the wildcard domain t If you are on macOS, the Educates command line tool provides the means to run `dnsmasq` for you with the required configuration. To start this run: ``` -educates admin resolver deploy +educates local resolver deploy ``` This will run the `dnsmasq` instance in the local docker daemon instance. @@ -175,7 +172,7 @@ You should see an entry like the following for your ingress domain: ``` resolver #8 - domain : educates-local.dev.xyz + domain : educates-local-dev.test nameserver[0] : 127.0.0.1 flags : Request A records, Request AAAA records reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address) @@ -184,11 +181,11 @@ resolver #8 Note that tools like `nslookup` and `dig` do not use the local DNS resolver so don't expect them to show a result. You can instead use `curl` to test a host within the ingress domain. You should get a HTTP 404 response, which will be the default response from the Kubernetes ingress controller, since there will not be any ingress configured to respond to the request. ``` -$ curl -v www.educates-local.dev.xyz +$ curl -v www.educates-local-dev.test * Trying 192.168.168.1:80... -* Connected to www.educates-local.dev.xyz (192.168.168.1) port 80 (#0) +* Connected to www.educates-local-dev.test (192.168.168.1) port 80 (#0) > GET / HTTP/1.1 -> Host: www.educates-local.dev.xyz +> Host: www.educates-local-dev.test > User-Agent: curl/7.79.1 > Accept: */* > @@ -199,10 +196,10 @@ $ curl -v www.educates-local.dev.xyz < server: envoy < content-length: 0 < -* Connection #0 to host www.educates-local.dev.xyz left intact +* Connection #0 to host www.educates-local-dev.test left intact ``` -The IP address used as the target for addresses resolved by the local DNS resolver will be the IP address of the primary active network interface for the local host. If you want to override the IP address and change it to use an alternate IP, such as that used by an alias applied to a network interface using the ``ifconfig INTERFACE alias`` command, you can edit the local Educates config using the command ``educates admin config edit`` and add configuration in the following form before deploying the local DNS resolver. +The IP address used as the target for addresses resolved by the local DNS resolver will be the IP address of the primary active network interface for the local host. If you want to override the IP address and change it to use an alternate IP, such as that used by an alias applied to a network interface using the ``ifconfig INTERFACE alias`` command, you can edit the local Educates config using the command ``educates local config edit`` and add configuration in the following form before deploying the local DNS resolver. ```yaml localDNSResolver: @@ -222,7 +219,7 @@ Linux systems may already provide a local DNS resolver in which case you can con If the Linux distribution uses a `dnsmasq` server as the local DNS resolver, it should be configured with an entry like the following: ``` -address=/educates-local.dev.xyz/192.168.168.1 +address=/educates-local-dev.test/192.168.168.1 ``` where your ingress domain is mapped to the IP address of your local machine. @@ -230,7 +227,9 @@ where your ingress domain is mapped to the IP address of your local machine. When done with the local environment and you want to delete the local DNS resolver if started on macOS, you can run: ``` -educates admin resolver delete +educates local resolver delete ``` You will need to manually remove the file you created under `/etc/resolver`. + +Note that when using the local DNS resolver on macOS, for it to work relies on DNS resolution within the local Kind Kubernetes cluster being passed through to the macOS system DNS resolution framework. Although this appears to work for Kubernetes Kind clusters running on macOS Intel architecture, it appears not to currently work for macOS ARM architecture. It is believed this may be because Go application binaries compiled using cross compilation do not link and use the macOS DNS frameworks and instead have a native Go implementation which bypasses the macOS `/etc/resolver` based system. If you are using macOS ARM based machines, you will need to have access to a public DNS registry or server where you can instead configure your domains. Using a DNS server on your local network or embedded in your internet router may also not work as it is also suspected that for macOS ARM acrhitecture, a Kubernetes Kind cluster bypasses local DNS servers and connects direct to a public DNS. The only known way around this at present is to override CoreDNS configuration in the Kubernetes cluster. diff --git a/project-docs/getting-started/quick-start-guide.md b/project-docs/getting-started/quick-start-guide.md index 38d5fc8f3..eec3636e4 100644 --- a/project-docs/getting-started/quick-start-guide.md +++ b/project-docs/getting-started/quick-start-guide.md @@ -15,7 +15,7 @@ To deploy Educates on your local machine using the Educates command line tool th * You need to be running macOS or Linux. If using Windows you will need WSL (Windows subsystem for Linux). The Educates command line tool has primarily been tested on macOS. -* You need to have a working `docker` environment. The Educates command line tool has primarily been tested with Docker Desktop on macOS. +* You need to have a working `docker` environment. The Educates command line tool has primarily been tested with [Docker Desktop](https://www.docker.com/products/docker-desktop/) but you can use [Colima](https://github.com/abiosoft/colima) if you are running on macOS. * You need to have sufficient memory and disk resources allocated to the `docker` environment to run Kubernetes, Educates etc. @@ -27,16 +27,26 @@ To deploy Educates on your local machine using the Educates command line tool th * You need to have port 5001 available on the local machine as this will be used for a local image registry. -If you are using Docker Desktop, you need to have the following enabled: - -* Use kernel networking for UDP (Settings->Resources->Network). +If you are using [Docker Desktop](https://www.docker.com/products/docker-desktop/), you will need to enable the following: * Allow the default Docker socket to be used (Settings->Advanced). * Allow privileged port mapping (Settings->Advanced). +Depending on the Docker Desktop version you are running, you may also need to enable/disable: + +* Use kernel networking for UDP (Settings->Resources->Network). + +In case you are using [Colima](https://github.com/abiosoft/colima), you need to add the following lines to the educates configuration file: + +``` +$ educates local config edit +localKindCluster: + listenAddress: 0.0.0.0 +``` + Downloading the CLI ------------------------ +------------------- To download the Educates CLI visit the releases page at: @@ -44,14 +54,44 @@ To download the Educates CLI visit the releases page at: Find the most recent released version and download the `educates` CLI program for your platform. -* `educates-linux-amd64` - Linux (Intel 64) -* `educates-linux-arm64` - Linux (ARM 64) -* `educates-darwin-amd64` - macOS (Intel 64 or Apple silicon) -* `educates-darwin-arm64` - macOS (Apple silicon) +* `educates-linux-amd64` - Linux (amd64) +* `educates-linux-arm64` - Linux (arm64) +* `educates-darwin-amd64` - macOS (amd64) +* `educates-darwin-arm64` - macOS (arm64) Rename the downloaded program to `educates`, make it executable (`chmod +x educates`), and place it somewhere in your application search path. -If you are running macOS with Apple silicon (arm64), the Intel 64 (amd64) binary will be run under Rosetta emulation, however, by using it you will be able to use both `amd64` and `arm64` images in the Kubernetes cluster. If you use the Apple silicon (arm64) binary you will only be able to use `amd64` images in the Kubernetes cluster. Neither of the macOS binaries are signed so you will need to tell macOS to trust it before you can run it. +To download the latest version using `curl` and mark it executable, you can use the appropriate command for your operating system and architecture below. + +::::{tab-set} + +:::{tab-item} Linux (amd64) +``` +curl -o educates -sL https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-linux-amd64 && chmod +x educates +``` +::: + +:::{tab-item} Linux (arm64) +``` +curl -o educates -sL https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-linux-arm64 && chmod +x educates +``` +::: + +:::{tab-item} macOS (amd64) +``` +curl -o educates -sL https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-darwin-amd64 && chmod +x educates +``` +::: + +:::{tab-item} macOS (arm64) +``` +curl -o educates -sL https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-darwin-arm64 && chmod +x educates +``` +::: + +:::: + +If you are running macOS with Apple silicon (arm64), the Intel 64 (amd64) binary will still work and be run under Rosetta emulation, however, by using it you will be able to use both `amd64` and `arm64` images in the Kubernetes cluster. If you use the Apple silicon (arm64) binary you will only be able to use `amd64` images in the Kubernetes cluster. Neither of the macOS binaries are signed so you will need to tell macOS to trust it before you can run it. The `educates` CLI can also be downloaded from the `vmware-tanzu-labs/educates-training-platform` GitHub repository packaged as an OCI image using the command: @@ -82,7 +122,7 @@ Default ingress domain Educates requires a valid fully qualified domain name (FQDN) to use with Kubernetes ingresses which it creates. -By default, the scripts will automatically use a `nip.io` address which consists of the IP address of your local machine as the ingress domain. For example `192-168-1-1.nip.io`. +By default, the `educates` CLI when creating a cluster will automatically use a `nip.io` address which consists of the IP address of your local machine as the ingress domain. For example `192-168-1-1.nip.io`. If a `nip.io` address is relied upon, some features of Educates may not be able to be used. This is because those features require that you also have access to a wildcard TLS certificate for the ingress domain. Since you don't control the `nip.io` domain, there is no way for you to generate the required TLS certificate using a service such as LetsEncrypt. You could however using your own self signed certificate authority (CA) create a wildcard TLS certificate for the `nip.io` domain but you will need to configure macOS to use the CA, as well as configure Educates to know about the CA. @@ -125,7 +165,7 @@ The Educates CLI is intended primarily for people who need to create workshop co To deploy this workshop run: ``` -educates deploy-workshop -f https://github.com/vmware-tanzu-labs/lab-k8s-fundamentals/releases/latest/download/workshop.yaml +educates deploy-workshop -f https://github.com/educates/lab-k8s-fundamentals/releases/latest/download/workshop.yaml ``` This will load the workshop resource definition into the Kubernetes cluster. If a training portal instance is not already running one will be deployed. A workshop environment for this specific workshop will then be created and registered with the training portal. @@ -171,7 +211,7 @@ Deleting the workshop When you no longer require this workshop and wish to delete the workshop environment, run: ``` -educates delete-workshop -f https://github.com/vmware-tanzu-labs/lab-k8s-fundamentals/releases/latest/download/workshop.yaml +educates delete-workshop -f https://github.com/educates/lab-k8s-fundamentals/releases/latest/download/workshop.yaml ``` This requires you to provide the same URL for the location of the workshop definition you used when you deployed the workshop. If you do not remember the URL, you can view it by running: diff --git a/project-docs/getting-started/sample-workshops.md b/project-docs/getting-started/sample-workshops.md index 0d4243dff..cf71a1199 100644 --- a/project-docs/getting-started/sample-workshops.md +++ b/project-docs/getting-started/sample-workshops.md @@ -3,5 +3,4 @@ Sample Workshops Below are a selection of workshops you can try with Educates and use as a guide when developing your own workshops. -* [Kubernetes Fundamentals](https://github.com/vmware-tanzu-labs/lab-k8s-fundamentals) - An interactive workshop on Kubernetes fundamentals. -* [Spring Boot on Kubernetes](https://github.com/vmware-tanzu-labs/lab-spring-boot-on-k8s) - Introduction to Spring Boot on Kubernetes. +* [Kubernetes Fundamentals](https://github.com/educates/lab-k8s-fundamentals) - An interactive workshop on Kubernetes fundamentals. diff --git a/project-docs/getting-started/workshop-templates.md b/project-docs/getting-started/workshop-templates.md index de0e0a303..bfa0863b9 100644 --- a/project-docs/getting-started/workshop-templates.md +++ b/project-docs/getting-started/workshop-templates.md @@ -21,6 +21,8 @@ The ``educates new-workshop`` command will default to creating files setup for u educates new-workshop lab-new-workshop --template classic ``` +The `classic` renderer is deprecated and will in time be removed so it is recommended that new workshops use the `hugo` renderer. + In the workshop definition there are additional required fields that need to be filled out. These will be filled out with default values, but you can customize them at the time of workshop creation. The command line options for customizing the fields and their purpose are: @@ -127,7 +129,15 @@ The tag being pushed to GitHub will trigger the following actions: * Creation of an OCI image artefact containing workshop content files and pushing it to the GitHub container registry. * Creation of a release against the GitHub repository and attach as assets Kubernetes resource files for deploying the workshop to Educates. -The creation and the publishing of the OCI image artefact will be performed using the `educates publish-workshop` command. Your workshop definition must therefore be configured appropriately with a section describing how to publish the workshop image and optionally what should be included in the workshop image. +The creation and the publishing of the OCI image artefact will be performed using the `educates publish-workshop` command. Your workshop definition must therefore be configured appropriately with a section describing how to publish the workshop image and optionally what should be included in the workshop image. In the case of workshops created using the `educates new-workshop` command, this configuration will be: + +```yaml +spec: + publish: + image: $(image_repository)/{name}-files:$(workshop_version) +``` + +In the example above, the value of `{name}` would be the name of your workshop. That is, the same as `metadata.name` from the same resource definition. The image reference will match what is used in `spec.workshop.files.image.url`. Note that if the GitHub repository is not public, you will need to go to the settings for any images pushed to GitHub container registry and change the visibility from private or internal, to public before anyone can use the workshop. diff --git a/project-docs/index.rst b/project-docs/index.rst index c98857d0f..aaf1af4f0 100644 --- a/project-docs/index.rst +++ b/project-docs/index.rst @@ -27,15 +27,11 @@ Educates installation-guides/cluster-requirements installation-guides/installation-instructions + installation-guides/cli-based-installation + installation-guides/carvel-based-installation + installation-guides/infrastructure-providers installation-guides/configuration-settings -.. - installation-guides/training-session - installation-guides/under-the-covers - installation-guides/deleting-operator - installation-guides/deploying-to-minikube - installation-guides/deploying-to-kind - .. toctree:: :maxdepth: 2 :caption: Workshop Content: @@ -85,6 +81,7 @@ Educates :maxdepth: 2 :caption: Release Notes: + release-notes/version-3.0.0 release-notes/version-2.7.2 release-notes/version-2.7.1 release-notes/version-2.7.0 diff --git a/project-docs/installation-guides/carvel-based-installation.md b/project-docs/installation-guides/carvel-based-installation.md new file mode 100644 index 000000000..ebe716aec --- /dev/null +++ b/project-docs/installation-guides/carvel-based-installation.md @@ -0,0 +1,112 @@ +Carvel Based Installation +========================= + +Of the two methods available for installing Educates into an existing Kubernetes cluster, the instructions below pertain to installing Educates via the Carvel `kapp-controller` operator pre-installed into a Kubernetes cluster. The instructions assume you have already prepared a suitable configuration file. + +Carvel command line tools +------------------------- + +The Carvel project provides a set of command line tools you can run locally, as well as a number of operators for installation in to Kubernetes clusters for package and secrets management. + +In order to install Educates, you do not actually need to have the Carvel tools installed locally, but if you are interested in what they can do for you, see the [Carvel](https://carvel.dev/) project web site. + +Installing kapp-controller +-------------------------- + +To install Educates into a Kubernetes cluster using the Carvel packaging system requires that [kapp-controller](https://carvel.dev/kapp-controller/) from Carvel be installed into the Kubernetes cluster. + +If you are using a Kubernetes cluster created using Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC), it will come preinstalled with ``kapp-controller`` and you do not need to install ``kapp-controller`` yourself. + +If you do need to install ``kapp-controller``, further information can be found at: + +* [https://carvel.dev/kapp-controller/docs/develop/install/](https://carvel.dev/kapp-controller/docs/develop/install/) + +In most circumstances all you should need to do is run: + +```bash +kubectl apply -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml +``` + +Installer service account +------------------------- + +When using `kapp-controller` to install a package, it is necessary to provide a service account in the Kubernetes cluster which has the required role access to be able to create all the resources for a package. This service account must be granted any required roles which the deployed application needs at runtime. + +Because the Educates training platform may need to create instances of any available Kubernetes resource type when deploying specific workshops, it needs to have full `cluster-admin` role access. + +To create the required service account and role bindings a YAML resources file is provided with each Educates release. To apply this for the latest version of Educates to the cluster, run the command: + +```bash +kubectl apply -f https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-installer-app-rbac.yaml +``` + +Alternatively, checkout the [Educates releases](https://github.com/vmware-tanzu-labs/educates-training-platform/releases) and use the `educates-installer-app-rbac.yaml` file from the specific version of Educates you want to install. + +Note that a namespace called `educates-installer` will be created to hold the service account. + +Applying the package values +--------------------------- + +The next required step is to create a secret in the Kubernetes cluster which holds the configuration you want to use for deploying Educates. + +Presuming your configuration is in the `config.yaml` file, run: + +```bash +kubectl create secret generic educates-installer -n educates-installer --from-file config.yaml --save-config +``` + +The secret should be created in the `educates-installer` namespace. + +Installing Educates package +--------------------------- + +You are now ready to install Educates and any required services as dictated by the configuration you supplied. + +For the latest version of Educates, run the following command: + +```bash +kubectl apply -f https://github.com/vmware-tanzu-labs/educates-training-platform/releases/latest/download/educates-installer-app.yaml +``` + +Alternatively, checkout the [Educates releases](https://github.com/vmware-tanzu-labs/educates-training-platform/releases) and use the `educates-installer-app.yaml` file from the specific version of Educates you want to install. + +The same `educates-installer` namespace referenced in prior steps will be used. + +Updating package configuration +------------------------------ + +To update the configuration for the installed package, update the values in the `educates-installer` secret. + +```bash +kubectl create secret generic educates-installer -n educates-installer --from-file config.yaml --dry-run=client -o yaml | kubectl apply -f - +``` + +The next time that `kapp-controller` performs a reconcilliation for the package, the new configuration will be applied. + +If you need to manually force reconcilliation you can run: + +```bash +kctrl app kick -a installer.educates.dev -n educates-installer -y +``` + +The `kctrl` command is from the Carvel package toolset. + +Note that such configuration changes will not necessarily affect training portals or workshop environments which have already been created, and will only affect training portals created after that point. + +Deleting the installed package +------------------------------ + +To delete everything installed with the Educates package, run: + +```bash +kubectl delete -n educates-installer app/installer.educates.dev +``` + +This will leave the `educates-installer` namespace, the service account which was created, as well as the secret holding the Educates configuration. + +To manually clean these up run: + +```bash +kubectl delete namespace/educates-installer +kubectl delete clusterrolebinding/educates-installer +``` diff --git a/project-docs/installation-guides/cli-based-installation.md b/project-docs/installation-guides/cli-based-installation.md new file mode 100644 index 000000000..16fb4b75a --- /dev/null +++ b/project-docs/installation-guides/cli-based-installation.md @@ -0,0 +1,66 @@ +CLI Based Installation +====================== + +Of the two methods available for installing Educates into an existing Kubernetes cluster, the instructions below pertain to installing using the Educates CLI. The instructions assume you have already prepared a suitable configuration file. + +Deploying the platform +---------------------- + +Once you have created a suitable configuration file, you can install Educates into an existing Kubernetes cluster using the Educates CLI, by running: + +```shell +educates deploy-platform --config config.yaml +``` + +The `--config` option should supply the path to the configuration file you created. + +You must have set `clusterInfrastructure.provider` in the configuration file. + +The installation process will install Educates, as well as other services and Kubernetes operators required by Educates, or which are beneficial when working with the specified infrastructure provider. + +If needing to debug the installation process, you can supply the `--verbose` option. + +```shell +educates deploy-platform --config config.yaml --verbose +``` + +Kubeconfig and context +---------------------- + +By default the Educates CLI will use the Kubernetes configuration found in the standard `kubeconfig` file, usually `$HOME/.kube/config`. + +If you want to use an alternate `kubeconfig` file, use the `--kubeconfig` option. + +```shell +educates deploy-platform --config config.yaml --kubeconfig kubeconfig.yaml +``` + +Whether the default `kubeconfig` or one supplied using the `--kubeconfig` option, the current context specified by the configuration will be used. + +If you want to specify an alternate context be used, use the `--context` option. + +```shell +educates deploy-platform --config config.yaml --context educates-cluster +``` + +Updating configuration +---------------------- + +After having performed an installation, if you needed to amend the configuration, in many cases it is possible to update the configuration for the installation in place, without needing to delete the installation and reinstall it. + +To update the configuration for the already deployed installation, make the required changes to your configuration file. You can then run the same command as you used originally to install it. For example: + +```shell +educates deploy-platform --config config.yaml +``` + +Note that such configuration changes will not necessarily affect training portals or workshop environments which have already been created, and will only affect training portals created after that point. + +Deleting the installation +------------------------- + +To delete Educates and any other services or Kubernetes operators which were installed, you can run: + +```shell +educates delete-platform +``` diff --git a/project-docs/installation-guides/cluster-requirements.md b/project-docs/installation-guides/cluster-requirements.md index 5d76a0cd8..c416fc395 100644 --- a/project-docs/installation-guides/cluster-requirements.md +++ b/project-docs/installation-guides/cluster-requirements.md @@ -80,6 +80,10 @@ If Kyverno is not installed or enabled, enforcement of any security policies to Carvel package installation --------------------------- -The default installation method for Educates relies on the Carvel packaging system. For a streamlined install process you need to have the Carvel [kapp-controller](https://carvel.dev/kapp-controller/) operator pre-installed into the Kubernetes cluster. If using Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC), this will already exist upon the Kubernetes cluster being created, however, for other Kubernetes distributions you will need to install it. +The installation method for Educates relies on the [Carvel](https://carvel.dev/) packaging system. You have two options for installing Educates into an existing Kubernetes cluster. -If ``kapp-controller`` is not available, Educates can still be installed but will require many more manual steps. Also, certain builtin features of Educates related to virtual clusters will not be available as they rely on ``kapp-controller`` being installed in the host Kubernetes cluster to work. +The first option is to use the `educates` CLI to deploy Educates and any required services to the Kubernetes cluster. In this case, although Educates uses the Carvel packaging system, you do not need the Carvel tools installed on your local host computer, nor do you need to have the Carvel [kapp-controller](https://carvel.dev/kapp-controller/) operator pre-installed into the Kubernetes cluster. + +The second option, and one which may be more suitable if setting up clusters to run Educates as part of a GitOps or CI/CD based installation process, is to have `kapp-controller` pre-installed into the Kubernetes cluster and use it to install Educates and any required services. + +If using Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC), `kapp-controller` will already exist upon the Kubernetes cluster being created, however, for other Kubernetes distributions you will need to install `kapp-controller` yourself if wanting to use it to install Educates. diff --git a/project-docs/installation-guides/infrastructure-providers.md b/project-docs/installation-guides/infrastructure-providers.md new file mode 100644 index 000000000..1e49874c1 --- /dev/null +++ b/project-docs/installation-guides/infrastructure-providers.md @@ -0,0 +1,172 @@ +(infrastructure-providers)= +Infrastructure Providers +======================== + +The Educates installation package provides pre-canned configurations for a number of infrastructure providers. These, as well as custom configurations for some other platforms are described below. + +Installation to Amazon EKS +-------------------------- + +Installation is supported on [Amazon Elastic Kubernetes Service](https://aws.amazon.com/eks/). This is indicated by setting `provider` to `eks`. + +The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement. + +Additional components will be installed. These are: + +* [external-dns](https://github.com/kubernetes-sigs/external-dns) - to configure a wildcard entry in your domain's desired `HostedZone`. +* [cert-manager](https://cert-manager.io/) - for certificate management integration with [Let's Encrypt](https://letsencrypt.org). +* certs - creates an ACME wildcard domain `ClusterIssuer` for `cert-manager`. + +This installer package relies on having an EKS IAM Role for Service Account (IRSA) so you will need to create two IAM roles for both [external-dns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-roles-for-service-accounts) and [cert-manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#eks-iam-role-for-service-accounts-irsa) services. The details of the roles need to be specified in the `aws.irsaRoles` section of the configuration, with a format `arn:aws:iam:::role/`. + +Additionally, you need to specify the AWS region where your cluster is running, and if the domain you're using is not a real `HostedZone` in AWS, you may need to specify `aws.route53.hostedZone` with the actual domain. + +This is a sample snippet that will get Educates installed on an existing EKS cluster. + +```yaml +clusterInfrastructure: + provider: "eks" + aws: + region: "eu-west-1" + route53: + hostedZone: "example.com" + irsaRoles: + external-dns: "arn:aws:iam::123456789012:role/external-dns" + cert-manager: "arn:aws:iam::123456789012:role/cert-manager" +clusterIngress: + domain: "educates.example.com" +``` + +Installation to Google GKE +-------------------------- + +Installation is supported on [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine). This is indicated by setting `provider` to `gke`. + +The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement. + +Additional components will be installed. These are: + +* [external-dns](https://github.com/kubernetes-sigs/external-dns) - to configure a wildcard entry in your domain's desired DNS Zone in Google CloudDNS. +* [cert-manager](https://cert-manager.io/) - for certificate management integration with [Let's Encrypt](https://letsencrypt.org). +* certs - creates an ACME wildcard domain `ClusterIssuer` for `cert-manager`. + +This installer package relies on having an [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) so you will need to create two IAM roles for both [external-dns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/nginx-ingress.md#gke-with-workload-identity) and [cert-manager](https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity) services. The details of the roles need to be specified in the `gcp.workloadIdentity` section of the configuration, with a format `@.iam.gserviceaccount.com` + +Additionally, you need to specify the Google project Id for your GKE cluster, and if the domain you're using is not a real DNS Zone in Google CloudDNS, you may need to specify the `gcp.cloudDNS.zone` with the actual domain. + +This is a sample snippet that will get Educates installed on an existing GKE cluster. + +``` +clusterInfrastructure: + provider: "gke" + gcp: + project: "my-project" + cloudDNS: + zone: "example.com" + workloadIdentity: + external-dns: "external-dns@my-project.iam.gserviceaccount.com" + cert-manager: "cert-manager@my-project.iam.gserviceaccount.com" +clusterIngress: + domain: "educates.example.com" +``` + +Installation to local Kind +-------------------------- + +Installation is supported on a local Kubernetes cluster created using [Kind](https://kind.sigs.k8s.io/) (Kubernetes in Docker). This is indicated by setting `provider` to `kind`. + +The components which will be installed are the Educates training platform, Contour as the ingress controller, and Kyverno for cluster and workshop security policy enforcement. + +For this case it is required that the Kind cluster be configured to [map ports 80/443](https://kind.sigs.k8s.io/docs/user/ingress/) such that the Kubernetes ingress controller is accessible via the host. + +Installation to OpenShift +------------------------- + +We are not currently providing a pre-canned configuration for installing Educates in OpenShift. We are working on including configuration for OpenShift, but believe the following configuration should work in the interim. + +```yaml +# Specify the infrastructure provider hosting the Kubernetes cluster. +# We are using "custom" and providing the configuration ourselves. + +clusterInfrastructure: + provider: custom + +# Specify the ingress domain to be used to access the workshops hosted by +# the Educates installation. + +clusterIngress: + domain: educates-local-dev.test + +# Specify component packages to be installed for this configuration. + +clusterPackages: + # Disable installation of Contour as using OpenShift standard ingress + # controller. + + contour: + enabled: false + + # Enable installation of Kyverno for workshop security policy enforcement. + + kyverno: + enabled: true + + # Ensure that Educates training platform is installed. + + educates: + enabled: true + +# Configure cluster security policy enforcement to be done using OpenShift +# security context constraints. + +clusterSecurity: + policyEngine: security-context-constraints + +# Configure workshop security policy enforcement to be done using Kyverno. + +workshopSecurity: + rulesEngine: kyverno +``` + +The standard OpenShift ingress controller will be used. + +Installation to a vCluster +-------------------------- + +Installation is supported on a Kubernetes virtual cluster using the [vCluster](https://www.vcluster.com/) software from [Loft Labs](https://loft.sh/). This is indicated by setting `provider` to `vcluster`. + +The components which will be installed are the Educates training platform and Kyverno for cluster and workshop security policy enforcement. + +For this case Kubernetes ingresses must still work within the virtual cluster. This means you need to have done one of the following: + +* Pre-configure the virtual cluster to synchronize ingress resources from the virtual cluster to the underlying host Kubernetes cluster, so that ingresses created in the virtual cluster are handled by the ingress controller running in the underlying host Kubernetes cluster. +* Install a separate ingress controller into the virtual cluster with its own external ingress router for incoming traffic, or have the ingress controller of the underlying host Kubernetes cluster proxy to the ingress router of the virtual cluster for a suitable wildcard ingress domain. + +Virtual clusters created by Educates itself as part of a workshop session satisfy this requirement for working ingresses, and as such it is possible to install Educates inside of Educates for the purposes of creating workshops to train users on Educates. In this scenario though, since security policies would be enforced by the underlying Educates installation, to reduce the amount of resources required and speed up installation of Educates inside of the virtual cluster, installation of Kyverno and enforcement of security policies can be disabled. + +```yaml +# Specify the infrastructure provider hosting the Kubernetes cluster. + +clusterInfrastructure: + provider: vcluster + +# Specify the ingress domain to be used to access the workshops hosted by +# the Educates installation. + +clusterIngress: + domain: educates-local-dev.test + +# Disable the cluster and security policy engines, and skip installing +# Kyverno, as policies are enforced by the Educates installation running +# this workshop session. + +clusterPackages: + kyverno: + enabled: false + +clusterSecurity: + policyEngine: none + +workshopSecurity: + rulesEngine: none +``` diff --git a/project-docs/installation-guides/installation-instructions.md b/project-docs/installation-guides/installation-instructions.md index 6f20db6f6..dd1bad9e0 100644 --- a/project-docs/installation-guides/installation-instructions.md +++ b/project-docs/installation-guides/installation-instructions.md @@ -2,299 +2,99 @@ Installation Instructions ========================= -The installation instructions given here are only needed if you are installing into a dedicated Kubernetes cluster and not using the [local Educates environment](quick-start-guide). Ensure you have read the general documentation about [cluster requirements](cluster-requirements) before proceeding with trying to install Educates. +The installation instructions given here are only needed if you are installing into a dedicated Kubernetes cluster and not using the [local Educates environment](quick-start-guide). Ensure you have read the general documentation about [cluster requirements](cluster-requirements) before proceeding with trying to install Educates into an existing Kubernetes cluster. -Educates provides a package for installing an ingress controller and other operators it requires, such as Kyverno, so you do not need to have installed these first. Further information on installing these is given below. - -Carvel command line tools -------------------------- - -These instructions require that you have the Carvel command tools installed and available on the machine from which you are installing Educates. For installing these see: - -* [https://carvel.dev/](https://carvel.dev/) - -The tools can be installed using a shell script provided by the Carvel project, or using Homebrew on macOS and Linux. - -Ensure you are using an up to date version of the tools, and that if you used Homebrew to perform the install, and that was first done a long time ago, that the more recently added ``kctrl`` command line tool was included. - -Installing kapp-controller --------------------------- - -The standard method for installing Educates relies on the Carvel packaging system and requires that [kapp-controller](https://carvel.dev/kapp-controller/) from Carvel be installed into the Kubernetes cluster. - -If you are using a Kubernetes cluster created using Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC), it will come preinstalled with ``kapp-controller`` and you do not need to install ``kapp-controller`` yourself. +CLI vs kapp-controller +---------------------- -If you do need to install ``kapp-controller``, further information can be found at: +To install Educates into an existing Kubernetes cluster you have two choices. -* [https://carvel.dev/kapp-controller/docs/develop/install/](https://carvel.dev/kapp-controller/docs/develop/install/) +The first is to use the `educates` CLI. This is a self contained solution and does not require any special operators to be installed into the Kubernetes cluster, nor any special third party packaging tools to be available on the machine from which you are performing the install, beyond having the CLI itself. -In most circumstances all you should need to do is run: +The second relies on having the `kapp-controller` operator from the [Carvel](https://carvel.dev/) project pre-installed into the Kubernetes cluster. You will only need to have `kubectl` available on the machine from which you are performing the install. -```bash -kapp deploy -a kc -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml -``` +The `educates` CLI provides a more convenient experience for installing Educates into an existing Kubernetes cluster, however using the Carvel packages with `kapp-controller` may work better when using a GitOps approach to managing Kubernetes clusters. -Loading package definitions +Opinionated cluster install --------------------------- -The Carvel packaging ecosystem supports the concept of hosted package repositories, and Educates provides such a package repository. +Whether using the CLI or `kapp-controller` to facilitate installation of Educates, the Educates installation mechanism provides for an opinionated configuration and installation. -To find what versions of the Educates package repository are available see: +What this means is that it is possible to simply specify the infrastructure provider for the Kubernetes cluster being used and Educates will use a pre-canned configuration suitable for that provider, to install not just the Educates training platform, but other services and Kubernetes operators required by Educates, or which are beneficial when working with that infrastructure provider. -* [https://github.com/vmware-tanzu-labs/educates-training-platform/pkgs/container/educates-packages](https://github.com/vmware-tanzu-labs/educates-training-platform/pkgs/container/educates-packages) +Support is currently provided for the following infrastructure providers. -To add the definitions from the Educates package repository to your Kubernetes cluster first create a namespace for holding them. You could instead use an existing namespace if you desire. +* `eks` - Amazon Elastic Kubernetes Service (EKS) +* `gke` - Google Kubernetes Engine (GKE) +* `kind` - Kubernetes in Docker (Kind) +* `vcluster` - Virtual Kubernetes Cluster (Loft) -```bash -kubectl create ns educates-package -``` - -Then load the package repository definition by running the command: +Although using a pre-canned configuration, you can still provide customizations on top to modify what is installed and how. -```bash -kctrl package repository add -n educates-package --repository educates --url ghcr.io/vmware-tanzu-labs/educates-packages:X.Y.Z -``` +If your infrastructure provider is not supported and you have a generic Kubernetes cluster available which has an ingress controller pre-installed, but nothing else, you can use the `generic` provider. -In this example we have used ``X.Y.Z`` as the version of the package repository, however you should use whatever is the latest version available from the page linked above. +If you would rather roll your own configuration from scratch, the `custom` provider should be used but you would then need to provide a complete configuration for Educates along with enabling what other services you want installed. -Once the package repository has been added to your Kubernetes cluster you can verify it is listed by running: +Additional installed services +----------------------------- -```bash -kctrl package repository list -n educates-package -``` +As noted above, when installing Educates, not just the Educates training platform will be installed, but also other services and Kubernetes operators required by Educates, or which are beneficial when working with a specific infrastructure provider. -You should see output which includes: +The list of additional services that configuration is provided for and that can be automatically installed are: -``` -Name Source Status -educates (imgpkg) ghcr.io/vmware-tanzu-labs/educates-packages:X.Y.Z Reconcile succeeded -``` +* `cert-manager` - Certificate manager for Kubernetes. +* `contour` - Ingress controller for Kubernetes. +* `external-dns` - External DNS manager for Kubernetes. +* `kapp-controller` - Carvel package installation operator. +* `kyverno` - Policy enforcement engine for Kubernetes. -To see what packages are now available for installation run: +Typically Kyverno will always be installed as it is used for security policy enforcement for cluster and workshop security. -```bash -kctrl package available list -n educates-package -``` +The `kapp-controller` operator, although it may not be required for installation, may be required if intending to host workshops that make use of it. -The list should include: +Other services may be automatically installed depending on which infrastructure provider is used. -``` -Name Display name -cluster-essentials.educates.dev Educates Cluster Essentials -training-platform.educates.dev Educates Training Platform -``` - -Neither of the packages has been installed as yet and that will be done in the following steps. - -(installing-cluster-essentials)= -Installing cluster essentials ------------------------------ - -Educates requires that an ingress controller be installed into the Kubernetes cluster. The recommended ingress controller is [Contour](https://projectcontour.io/). +Package configuration file +-------------------------- -If an ingress controller has not already been installed, you can install the ``educates-cluster-essentials`` package to install Contour. +When performing an installation a package configuration file must be supplied with values to configure Educates. -The ``educates-cluster-essentials`` package will also install Kyverno. Kyverno is used for security policy enforcement of workshop sessions. +The format of the configuration file is YAML. The minimal configuration which is required will depend on the infrastructure provider in which the Kubernetes cluster is running, with more detailed configuration being required if specifying a `custom` configuration. -To configure this package create a values file called ``educates-cluster-essentials-values.yaml`` containing: +In the case of targeting a Kubernetes cluster which was previously created using Kind, the minimum required configuration would be: ```yaml -clusterPackages: - contour: - enabled: true - settings: {} - kyverno: - enabled: true - settings: {} +# Specify the infrastructure provider hosting the Kubernetes cluster. clusterInfrastructure: - provider: "" + provider: kind -clusterSecurity: - policyEngine: "kyverno" -``` - -This represents the default configuration. - -If a suitable ingress controller is already installed set ``clusterPackages.contour.enabled`` to ``false``. - -If you are installing on OpenShift, ``clusterPackages.contour.enabled`` must be set to ``false`` as OpenShift already provides an ingress controller in its default installation. - -If a suitable version of Kyverno is already installed set ``clusterPackages.kyverno.enabled`` to ``false``. - -If neither is required you can skip installing the package completely. - -If you are installing to a local Kubernetes cluster created using ``Kind``, set ``clusterInfrastructure.provider`` to ``kind``. The effect of setting this to ``kind`` will be to configure Contour to only create a ``ClusterIP`` service for Envoy and use host ports, and not a load balancer service. It is important that the Kubernetes cluster created using ``Kind`` exports the ingress controller host ports to the underlying host system in this case. - -At this time there is no need to set ``clusterInfrastructure.provider`` for any other infrastructure provider, and in those cases Contour will use a ``LoadBalancer`` service for Envoy. - -If you need to override any other configuration for Contour, you can add values to ``clusterPackages.contour.settings``. These currently should correspond to the values accepted for the Contour Carvel package provided by TCE. - -* [https://github.com/vmware-tanzu/community-edition/tree/main/addons/packages/contour](https://github.com/vmware-tanzu/community-edition/tree/main/addons/packages/contour) - -For Kyverno, you can add values to ``clusterPackages.kyverno.settings``. The only setting that can currrently be supplied for Kyverno is ``replicaCount``. This defaults to 1, but can be set to 3 if you want to deploy Kyverno in HA mode. - -Next you must override the value of ``clusterSecurity.policyEngine``. The value depends on how your Kubernetes cluster is configured. - -If you are installing to OpenShift, ``clusterSecurity.policyEngine`` must be set to ``security-context-constraints``. - -If you are installing to a Kubernetes cluster which has pod security policies enabled, and it associates a default pod security policy with all authenticated users, ``clusterSecurity.policyEngine`` must be set to ``pod-security-policies``. - -For all other cases you should override ``clusterSecurity.policyEngine`` and set it to ``kyverno``. - -You can if necessary set ``clusterSecurity.policyEngine`` to ``none``, but no security policy enforcement will be done, in which case workshop users would not be restricted from running containers with elevated privileges. Using ``none`` is okay for testing on your own local system, but should never be done where untrusted users would be doing workshops. If you do use ``none`` and develop your own workshops, you may also find those workshops will then not work on an Educates instance which does security policy enforcement. It is thus recommended to always at least set this to ``kyverno`` if not restricted otherwise by how the Kubernetes cluster is configured. - -Note that the same setting used here for ``clusterSecurity.policyEngine`` will also need to be used later when installing the Educates training platform package. - -To install the ``educates-cluster-essentials`` package first determine what versions are included with the Educates package repository you added by running: - -```bash -kctrl package available get -n educates-package --package cluster-essentials.educates.dev -``` - -You can then install the desired version by running: - -```bash -kctrl package install -n educates-package --package-install educates-cluster-essentials --package cluster-essentials.educates.dev --values-file educates-cluster-essentials-values.yaml --version "X.Y.Z" -``` - -Ensure you subsitute ``X.Y.Z`` with the actual version corresponding to the package definition which was loaded. - -The ``--values-file`` option is used to supply the values file you created above. - -Cluster ingress domain ----------------------- +# Specify the ingress domain to be used to access the workshops hosted by +# the Educates installation. -For Educates to work it needs to be configured with an ingress domain. - -If you want to configure Educates to use secure ingress, you need to have a wildcard TLS certificate for that ingress domain. If you do not have a wildcard TLS certificate for the ingress domain, then some features of workshops (such as per session image registries) will not work. - -The preferred scenario is that you bring your own custom domain name and matching wildcard TLS certificate for that domain. - -The first required step in using your own custom domain is to configure your DNS servers with a ``CNAME`` or equivalent entry to map all host name lookups under the domain (e.g., ``*.example.com``) to the IP address or host name of the inbound ingress router for the Kubernetes cluster. How you calculate the IP address or host name of the inbound ingress router will depend on what infrastructure is being used to host the Kubernetes cluster and how the ingress controller was installed. - -In the simplest case, using Contour installed with the ``educates-cluster-essentials`` package where a ``LoadBalancer`` service type for Envoy is being used, you may be able to determine the IP address or host name of the inbound ingress router by running: - -```bash -kubectl get service/envoy -n projectcontour -``` - -If you have a matching wildcard TLS certificate for the ingress domain, you now need to create a Kubernetes secret for the certificate and load it into the Kubernetes cluster. - -If you had used ``certbot`` to generate the certificate from LetsEncrypt using a DNS challenge, you should be able to create the secret resource file using a command similar to: - -```bash -kubectl create secret tls example.com-tls --cert=$HOME/.letsencrypt/config/live/example.com/fullchain.pem --key=$HOME/.letsencrypt/config/live/example.com/privkey.pem --dry-run=client -o yaml > example.com-tls.yaml -``` - -Replace ``example.com`` with the name of your custom domain name. - -Load the secret into the Kubernetes cluster using: - -```bash -kubectl apply -n default -f example.com-tls.yaml -``` - -In this case we created the secret in the ``default`` namespace. You can use a different namespace if desired as the namespace will need to be listed explicitly in the configuration for Educates in a subsequent step. - -If you do not have your own custom domain name, it is possible to use a ``nip.io`` address mapped to the IP address of the inbound ingress router host, however, because it will not be possible to obtain a TLS certificate for the domain, you will not be able to use secure ingress. - -(create-the-configuration)= -Create the configuration ------------------------- - -With the pre-requisites now installed in the Kubernetes cluster, installation of the Educates training platform can be done using the ``educates-training-platform`` package. - -To configure this package create a values file called ``educates-training-platform-values.yaml`` containing: - -```yaml clusterIngress: - domain: "example.com" - tlsCertificateRef: - namespace: "default" - name: "example.com-tls" - -clusterSecurity: - policyEngine: "kyverno" - -workshopSecurity: - rulesEngine: "kyverno" -``` - -This is the most minimal configuration needed to install the Educates training platform. - -Set ``clusterSecurity.policyEngine`` to the same value you used when installing the ``educates-cluster-essentials`` package. - -That is, if you are installing to OpenShift, ``clusterSecurity.policyEngine`` must be set to ``security-context-constraints``. - -If you are installing to a Kubernetes cluster which has pod security policies enabled, and it associates a default pod security policy with all authenticated users, ``clusterSecurity.policyEngine`` must be set to ``pod-security-policies``. - -For all other cases you should override ``clusterSecurity.policyEngine`` and set it to ``kyverno``. - -The value of ``workshopSecurity.rulesEngine`` should also be set to ``kyverno``. If can be set to ``none``, and this is okay for testing on your own local system, but should never be done where untrusted users would be doing workshops. - -For ingresses, set ``clusterIngress.domain`` to your custom domain name, or appropriate ``nip.io`` domain. - -If you have a wildcard TLS certificate, update ``clusterSecurity.tlsCertificateRef.name``, setting it to the name of the Kubernetes secret you created containing it. Change ``clusterSecurity.tlsCertificateRef.name`` if you created the secret in a namespace other than ``default``. - -If you do not have a wildcard TLS for the domain name you are using, delete the ``tlsCertificateRef`` section, including everything under it. If you comment out the section instead, you must use the ``#!`` comment prefix. - -There are a range of other settings that can optionally be set. For more details on these settings and whether you may need to use them see the documentation on {any}`configuration settings `. - -Installing training platform ----------------------------- - -To install the ``educates-training-platform`` package first determine what versions are included with the Educates package repository you added by running: - -```bash -kctrl package available get -n educates-package --package training-platform.educates.dev -``` - -You can then install the desired version by running: - -```bash -kctrl package install -n educates-package --package-install educates-training-platform --package training-platform.educates.dev --values-file educates-training-platform-values.yaml --version "X.Y.Z" + domain: educates-local-dev.test ``` -Ensure you subsitute ``X.Y.Z`` with the actual version corresponding to the package definition which was loaded. - -The ``--values-file`` option is used to supply the values file you created above. +The `clusterInfrastructure.provider` property specifies the identifier for the infrastructure provider to which Educates is being installed. -Deleting the installation -------------------------- +The `clusterIngress.domain` property needs to be set to the parent domain under which Educates is to be hosted. -It is recommended to remove any workshop environments before deleting Educates from the Kubernetes cluster. This will ensure that everything can be cleaned up properly. +Where additional configuration is provided, these will override global defaults, or those for a specific infrastructure provider. -To delete all current running workshop environments run: - -```bash -kubectl delete workshops,trainingportals,workshoprequests,workshopsessions,workshopenvironments --all --cascade=foreground -``` +See the general documentation on [Configuration Settings](configuration-settings) for customizing the Educates installation. -The ``--cascade=foreground`` command ensures that the command only returns once all workshop environments have been deleted. This is necessary as otherwise deletion will occur in the background. - -To make sure everything is deleted, run: - -```bash -kubectl get workshops,trainingportals,workshoprequests,workshopsessions,workshopenvironments --all-namespaces -``` +For more details on configuration requirements for specific infrastructure providers see the documentation on [Infrastructure Providers](infrastructure-providers). -There should be nothing remaining. - -The Educates training platform can then be deleted by running: - -```bash -kctrl package installed delete -n educates-package --package-install educates-training-platform -``` - -and confirming that you want to delete it. +Performing the installation +--------------------------- -Once deletion has finished you can safely re-install the Educates training platform. +To perform the installation see the documentation on the process you intend using. -If you instead wanted to clean up everything, you can also delete the pre-requisites installed above using: +* [CLI Based Installation](cli-based-installation) - Installing Educates using the Educates CLI. +* [Carvel Based Installation](carvel-based-installation) - Installing Educates using pre-installed `kapp-controller` operator. -```bash -kctrl package installed delete -n educates-package --package-install educates-cluster-essentials -``` +Note that both of these relate to installing Educates into an existing Kubernetes cluster. If you are trying Educates for the first time it is recommended not to use an existing Kubernetes cluster, but use the Educates CLI to create a local Educates environment, including a Kubernetes cluster, for you. -Note that if the ``educates-cluster-essentials`` package was used to install Contour and you were intending to use the Kubernetes cluster for some other purpose, you would need to re-install an ingress controller using some other method. +* [Quick Start Guide](quick-start-guide) - Quick start guide for installing Educates and deploying a workshop. +* [Local Environment](local-environment) - More detailed guide for installing a local Educates environment. diff --git a/project-docs/portal-rest-api/session-management.md b/project-docs/portal-rest-api/session-management.md index 906ee2cbe..bd67e162a 100644 --- a/project-docs/portal-rest-api/session-management.md +++ b/project-docs/portal-rest-api/session-management.md @@ -84,7 +84,7 @@ curl -H "Authorization: Bearer " https://lab-markdown-sample-ui.te If the supplied ID matches a user in the training portal, it will be used internally by the training portal, and the same value will be returned for ``user`` in the response. -When the user does match, if there is already a workshop session allocated to the user for the workshop environment the request is made against, a link to the existing workshop session will be returned rather than creating a new workshop session. +When the user does match, if there is already a workshop session allocated to the user for the workshop environment the request is made against, a link to the existing workshop session will be returned rather than creating a new workshop session, although if no existing session is found, a new workshop session will still be created if there is capacity. If you would rather a new workshop session not be created and want to guarantee that only the existing workshop session is returned, you need to remember the name of the prior session and supply it along with the ``user`` value as the ``session`` param. Where the front end using the REST API has it's own globally unique concept of a user ID, it can supply it using the ``user`` param in all requests. When this is done, rather than the training portal generating a user identifier the supplied identifier will be used instead. In this case the ``user`` parameter returned with the response will always match that supplied with the request. diff --git a/project-docs/project-details/project-roadmap.md b/project-docs/project-details/project-roadmap.md index 0d91b6cdb..0560e2c1b 100644 --- a/project-docs/project-details/project-roadmap.md +++ b/project-docs/project-details/project-roadmap.md @@ -40,7 +40,8 @@ they will be removed sometime in the 3.X series of Educates releases: resource definitions, but the `PackageRepository` resource type which bundles access to multiple versions will go away. This is being done because in-place rolling updates of the Educates version isn't always feasible and it is always - recommended to install from scratch rather than upgrading. + recommended to install from scratch rather than upgrading. **Changes made in + Educates 3.0.0.** * The `skaffold` command line tool will be removed. If this is required for a specific workshop it will need to install it as part of workshop setup. @@ -62,7 +63,8 @@ Other notable changes intended to be made with version 3.X of Educates are: in the Kubernetes cluster is being removed. The `kapp-controller` package will still be able to be optionally installed as it may still be required by workshops that depend on it. The CLI will also support opinionated installs - of Educates to IaaS providers such as AWS, GCP and Azure. + of Educates to IaaS providers such as AWS, GCP and Azure. **Changes made in + Educates 3.0.0.** * First class support for OpenShift will be added back into Educates after having previously been removed. This will include support for using the diff --git a/project-docs/release-notes/version-3.0.0.md b/project-docs/release-notes/version-3.0.0.md new file mode 100644 index 000000000..6bb66e8a8 --- /dev/null +++ b/project-docs/release-notes/version-3.0.0.md @@ -0,0 +1,135 @@ +Version 3.0.0 +============= + +Upcoming Changes +---------------- + +For details on significant changes in future versions, including feature +deprecations and removals which may necessitate updates to existing workshops, +see [Upcoming changes](upcoming-changes). + +New Features +------------ + +* New data variable added for `registry_auth_token`. This combines both the + registry username and password, separated by a colon, and base64 encoded. The + format is as would be expected for HTTP Basic authentication. The variable can + be used when setting headers for a session ingress proxy. This is also + available as an environment variable in a workshop session as the variable + `REGISTRY_AUTH_TOKEN`. + +* New data variable added for `git_auth_token`. This combines both the Git + username and password, separated by a colon, and base64 encoded. The format is + as would be expected for HTTP Basic authentication. The variable can be used + when setting headers for a session ingress proxy. This is also available as an + environment variable in a workshop session as the variable `GIT_AUTH_TOKEN`. + +* The identifier for the user to which a workshop session is allocated is now + recorded in the status of the `WorkshopSession` resource, as well as in the + `WorkshopAllocation` resource. + +* The capacity details for a workshop environment are now recorded in the status + of the `WorkshopEnvironment` resource. + +* When requesting a workshop session via the REST API, if the `session` param is + supplied along with `user` then an existing workshop session for the user will + only be returned if the name of that session also matches that supplied. When + `session` is supplied in this way, a new workshop session will never be + created and the response will indicate no session is available instead if no + existing workshop session is found. To make use of this any front end would + have to remember the prior session name, or otherwise first discover the name + of the existing workshop session by looking up via the REST API, sessions + which are active for the user. + +* An initial version of a new lookup service has been integrated which provide + a REST API for request workshop sessions which can sit in front of multiple + training portals, on the same cluster or across multiple clusters. We are + still fine tuning this so documentation isn't yet available, buf if interested + then ask about it on the Educates community Slack channel. + +Features Changed +---------------- + +* Installation of Educates to an existing Kubernetes cluster using Carvel + `PackageRespository` mechanism has been removed. Simpler mechanism using + Carvel `App` resource should now be used. See [Installation + instructions](installation-instructions) for updated details. + +* Installation of Educates to an existing Kubernetes cluster is now easier using + the Educates CLI. See [Installation instructions](installation-instructions) + for updated details. + +* The `educates admin config` group of commands is now accessible using + `educates local config`. + +* The `educates admin secrets` group of commands is now accessible using + `educates local secrets`. + +* The `educates admin registry` group of commands is now accessible using + `educates local registry`. + +* The `educates admin resolver` group of commands is now accessible using + `educates local resolver`. + +* The `educates admin platform update` command no longer exists for when using + local user config with `educates create-cluster`. If you want to update the + in-cluster configuration for Educates when using the local user config, you + will need to run `educates admin platform deploy` command and supply the + `--local-config` option. + + ``` + educates local config edit + educates admin platform deploy --local-config + ``` + +* Installation of an ingress controller inside of a virtual cluster is no + longer dependent on having `kapp-controller` installed on the underlying + host cluster. + +* When the orphaned timeout is specified for a workshop in the training portal, + if the browser page has been closed for that period of time the workshop + session will be terminated. In addition to this behaviour when the orphaned + timeout is specified, if a browser page/tab is hidden for a period of 3 times + the orphaned timeout, indicating that the workshop user is not interacting + with the workshop session, the workshop session will now also be terminated. + Thus if the orphaned timeout had been set to 5 minutes, the workshop session + where the browser page had been hidden/inactive for 15 minutes will be + terminated. Note that what constitutes hidden may depend on the web browser. + For example, a browser may not mark the page as hidden if the browser page is + not full screen and is merely covered by another window from the same + workspace. Do note that for supervised workshops where the whole event only + lasts a certain amount of time, you should avoid the orphaned timeout setting + so that a users session is not deleted when they take breaks and their + computer goes to sleep. + +* When using the `educates create-portal` command, labels can now be specified + for the portal via command line options. + +Bugs Fixed +---------- + +* Theme overrides were not being applied to access control pages of the + training portal. + +* The `changeOrigin` property was missing from the `Workshop` custom resource + defintion for `ingresses` even though was documented as something that could + be set. + +* The `educates local config edit` command would fail if run prior to having + ever created a local Educates cluster as the config directory would not exist. + +* Fixes a timing issue where the `phase` recorded against a `WorkshopSession` + resource created by a training portal, would revert to `Available` rather than + being set to be `Allocated`. + +* An attempt to reacquire a workshop session for a user via the REST API which + had not been created via the REST API but by the web interface would result in + an internal error. Now properly disallow the request for this case and return + an error saying session cannot be reacquired. + +* When an index URL was supplied to the training portal in the `TrainingPortal` + resource, or via the REST API, if the URL had query string parameters, the + query string param added by the training platform with the notification + message, was not being merged with the existing set of query string parameters + and was instead being added to the value of the last query string parameter in + the URL. diff --git a/project-docs/requirements.txt b/project-docs/requirements.txt index e365180b1..922e6f02f 100644 --- a/project-docs/requirements.txt +++ b/project-docs/requirements.txt @@ -1,5 +1,7 @@ sphinx<7.2.0 +sphinx-copybutton==0.5.2 sphinx-rtd-theme==2.0.0 +sphinx-design<0.6.0 recommonmark==0.7.1 myst-parser==2.0.0 attrs==23.2.0 diff --git a/project-docs/workshop-content/working-on-content.md b/project-docs/workshop-content/working-on-content.md index 3312d9874..71a5fc164 100644 --- a/project-docs/workshop-content/working-on-content.md +++ b/project-docs/workshop-content/working-on-content.md @@ -251,6 +251,8 @@ The `educates` CLI provides a way to serve workshop instructions from your local educates serve-workshop --patch-workshop ``` +**NOTE**: For this to work, you need [hugo](https://gohugo.io/) to be available on your development machine. + The `--patch-workshop` command in this case will cause the workshop definition for the workshop to be patched so that workshop instructions will be sourced from a HTTP server run by the `educates serve-workshop` command. Under the covers what the `--patch-workshop` command is doing is injecting the following configuration into the workshop definition. diff --git a/project-docs/workshop-content/workshop-instructions.md b/project-docs/workshop-content/workshop-instructions.md index b00188621..649597f85 100644 --- a/project-docs/workshop-content/workshop-instructions.md +++ b/project-docs/workshop-content/workshop-instructions.md @@ -720,7 +720,7 @@ To show you understand ... ``` ~~~ -The ``title`` should be set to the text you you want included in the banner for the clickable action. +The ``title`` should be set to the text you want included in the banner for the clickable action. A clickable action will only be shown for the beginning of the section and that for the end will always be hidden. Clicking on the action for the begining will expand the section. The section can be collapsed again by clicking on the action. diff --git a/secrets-manager/handlers/secretcopier_funcs.py b/secrets-manager/handlers/secretcopier_funcs.py index e699f3b31..a6672a489 100644 --- a/secrets-manager/handlers/secretcopier_funcs.py +++ b/secrets-manager/handlers/secretcopier_funcs.py @@ -442,8 +442,8 @@ def glob_match_name(name, items): try: pykube.Secret(api, target_secret_obj).create() - except pykube.exceptions.HTTPError as e: - if e.code == 409: + except pykube.exceptions.HTTPError as exc: + if exc.code == 409: logger.warning( f"Secret {target_secret_name} in namespace {target_secret_namespace} already exists." ) diff --git a/secrets-manager/requirements.txt b/secrets-manager/requirements.txt index b49fd8590..6469bf6e3 100644 --- a/secrets-manager/requirements.txt +++ b/secrets-manager/requirements.txt @@ -1,5 +1,5 @@ kopf[full-auth]==1.36.2 bcrypt==4.1.2 -aiohttp==3.9.4 +aiohttp==3.10.2 PyYAML==6.0.1 pykube-ng==23.6.0 diff --git a/session-manager/handlers/application_git.py b/session-manager/handlers/application_git.py index d7db090d1..e30390619 100644 --- a/session-manager/handlers/application_git.py +++ b/session-manager/handlers/application_git.py @@ -1,16 +1,20 @@ import random import string +import base64 from .operator_config import OPERATOR_API_GROUP, INGRESS_DOMAIN, INGRESS_PROTOCOL +from .helpers import substitute_variables def git_workshop_spec_patches(workshop_spec, application_properties): characters = string.ascii_letters + string.digits - git_host = f"git-$(session_namespace).{INGRESS_DOMAIN}" - git_username = "$(session_namespace)" + git_host = f"git-$(session_name).{INGRESS_DOMAIN}" + git_username = "$(session_name)" git_password = "".join(random.sample(characters, 32)) + git_auth_token = "$(base64($(git_username):$(git_password)))" + return { "spec": { "session": { @@ -34,6 +38,10 @@ def git_workshop_spec_patches(workshop_spec, application_properties): "name": "git_password", "value": git_password, }, + { + "name": "git_auth_token", + "value": git_auth_token, + }, ], "env": [ { @@ -52,6 +60,10 @@ def git_workshop_spec_patches(workshop_spec, application_properties): "name": "GIT_PASSWORD", "value": git_password, }, + { + "name": "GIT_AUTH_TOKEN", + "value": git_auth_token, + }, ], } } diff --git a/session-manager/handlers/application_vcluster.py b/session-manager/handlers/application_vcluster.py index 94d32fe3f..3b0cea28c 100644 --- a/session-manager/handlers/application_vcluster.py +++ b/session-manager/handlers/application_vcluster.py @@ -1,3 +1,5 @@ +import os + import yaml from .helpers import xget @@ -281,6 +283,9 @@ def vcluster_session_objects_list(workshop_spec, application_properties): ingress_subdomains = xget(application_properties, "ingress.subdomains", []) ingress_subdomains = sorted(ingress_subdomains + ["default"]) + map_services_from_virtual = xget(application_properties, "services.fromVirtual", []) + map_services_from_host = xget(application_properties, "services.fromHost", []) + sync_resources = "hoststorageclasses,-ingressclasses" if ingress_enabled: @@ -290,19 +295,146 @@ def vcluster_session_objects_list(workshop_spec, application_properties): vcluster_objects = xget(application_properties, "objects", []) + # If ingress controller is enabled for vcluster, add Contour objects + + if ingress_enabled: + # We need to read the Contour resources objects from files stored in + # the "../packages/contour/upstream" directory relative to this source + # file, and add them to the vcluster objects list. The files are: + # + # 00-common.yaml + # 01-contour-config.yaml + # 01-crds.yaml + # 02-job-certgen.yaml + # 02-role-contour.yaml + # 02-rbac.yaml + # 02-service-contour.yaml + # 03-contour.yaml + # 03-envoy.yaml + # + # We ignore "02-service-envoy.yaml" as we need to replace it with a + # version which exposes the service as a ClusterIP instead of a + # LoadBalancer. + + contour_objects = [] + + def relpath(*paths): + return os.path.join(os.path.dirname(__file__), *paths) + + with open( + relpath("../packages/contour/upstream/00-common.yaml"), encoding="utf-8" + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/01-contour-config.yaml"), + encoding="utf-8", + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/01-crds.yaml"), encoding="utf-8" + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/02-job-certgen.yaml"), + encoding="utf-8", + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/02-role-contour.yaml"), encoding="utf-8" + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/02-rbac.yaml"), encoding="utf-8" + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/02-service-contour.yaml"), + encoding="utf-8", + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/03-contour.yaml"), encoding="utf-8" + ) as f: + contour_objects.extend(yaml.safe_load_all(f)) + + with open( + relpath("../packages/contour/upstream/03-envoy.yaml"), encoding="utf-8" + ) as f: + # For the case of the envoy DaemonSet, we need to remove the + # hostPort properties from the container port definitions, as + # we do not allow hostPort and do not need it since we will proxy + # to the envoy service as a ClusterIP. + + for obj in yaml.safe_load_all(f): + if obj.get("kind") == "DaemonSet": + for container in obj["spec"]["template"]["spec"]["containers"]: + for port in container.get("ports", []): + port.pop("hostPort", None) + + contour_objects.append(obj) + + vcluster_objects.extend(contour_objects) + + # Add the Contour service with a ClusterIP instead of a LoadBalancer + + contour_service = { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "envoy", + "namespace": "projectcontour", + }, + "spec": { + "type": "ClusterIP", + "ports": [ + { + "name": "http", + "port": 80, + "protocol": "TCP", + "targetPort": 8080, + }, + { + "name": "https", + "port": 443, + "protocol": "TCP", + "targetPort": 8443, + }, + ], + "selector": { + "app": "envoy", + }, + }, + } + + vcluster_objects.append(contour_service) + + # Now need to tell vcluster to map the envoy service from the internal + # projectcontour namespace to the external namespace for the sessions + # virtual cluster. + + map_services_from_virtual.append( + { + "from": "projectcontour/envoy", + "to": "my-vcluster-envoy", + } + ) + syncer_args = [] syncer_args.append(f"--sync={sync_resources}") - map_services_from_virtual = xget(application_properties, "services.fromVirtual", []) - for mapping in map_services_from_virtual: from_virtual = mapping["from"] to_host = mapping["to"] syncer_args.append(f"--map-virtual-service={from_virtual}={to_host}") - map_services_from_host = xget(application_properties, "services.fromHost", []) - for mapping in map_services_from_host: from_host = mapping["from"] to_virtual = mapping["to"] @@ -713,7 +845,8 @@ def vcluster_session_objects_list(workshop_spec, application_properties): "--out-kube-config-secret=$(session_namespace)-vc-kubeconfig", "--kube-config-context-name=my-vcluster", "--leader-elect=false", - ] + syncer_args, + ] + + syncer_args, "livenessProbe": { "httpGet": { "path": "/healthz", @@ -780,54 +913,6 @@ def vcluster_session_objects_list(workshop_spec, application_properties): ] if ingress_enabled: - objects.extend( - [ - { - "apiVersion": "v1", - "kind": "Secret", - "metadata": { - "name": "contour-values", - "namespace": "$(session_namespace)-vc", - }, - "stringData": { - "values.yml": "envoy:\n service:\n type: ClusterIP" - }, - }, - { - "apiVersion": "kappctrl.k14s.io/v1alpha1", - "kind": "App", - "metadata": { - "name": "contour.community.tanzu.vmware.com.1.22.0", - "namespace": "$(session_namespace)-vc", - }, - "spec": { - "cluster": { - "namespace": "default", - "kubeconfigSecretRef": { - "name": "$(vcluster_secret)", - "key": "config", - }, - }, - "fetch": [{"imgpkgBundle": {"image": CONTOUR_BUNDLE_IMAGE}}], - "template": [ - { - "ytt": { - "paths": ["config/"], - "valuesFrom": [ - {"secretRef": {"name": "contour-values"}} - ], - } - }, - {"kbld": {"paths": ["-", ".imgpkg/images.yml"]}}, - ], - "deploy": [{"kapp": {}}], - "noopDelete": True, - "syncPeriod": "24h", - }, - }, - ] - ) - ingress_body = { "apiVersion": "networking.k8s.io/v1", "kind": "Ingress", @@ -852,7 +937,7 @@ def vcluster_session_objects_list(workshop_spec, application_properties): "pathType": "Prefix", "backend": { "service": { - "name": "envoy-x-projectcontour-x-my-vcluster", + "name": "my-vcluster-envoy", "port": {"number": 80}, } }, @@ -875,7 +960,7 @@ def vcluster_session_objects_list(workshop_spec, application_properties): "pathType": "Prefix", "backend": { "service": { - "name": "envoy-x-projectcontour-x-my-vcluster", + "name": "my-vcluster-envoy", "port": {"number": 80}, } }, diff --git a/session-manager/handlers/daemons.py b/session-manager/handlers/daemons.py index 344cc986f..1dfe6979f 100644 --- a/session-manager/handlers/daemons.py +++ b/session-manager/handlers/daemons.py @@ -96,8 +96,8 @@ def purge_terminated_resources(namespace): logger.info(f"Forcibly deleting finalizers on {resource.obj}.") resource.metadata["finalizers"] = None resource.update() - except pykube.exceptions.KubernetesError as e: - if e.code != 404: + except pykube.exceptions.KubernetesError as exc: + if exc.code != 404: logger.error( f"Could not delete finalizers on {resource.obj}." ) diff --git a/session-manager/handlers/helpers.py b/session-manager/handlers/helpers.py index 324690fc2..ddc33ff33 100644 --- a/session-manager/handlers/helpers.py +++ b/session-manager/handlers/helpers.py @@ -1,3 +1,6 @@ +import base64 + + def xget(obj, key, default=None): """Looks up a property within an object using a dotted path as key. If the property isn't found, then return the default value. @@ -48,15 +51,25 @@ def resource_owned_by(child, parent): return False -def substitute_variables(obj, variables): +def substitute_variables(obj, variables, encode=True, recurse=6): if isinstance(obj, str): - for k, v in variables.items(): - obj = obj.replace(f"$({k})", v) + original_obj = obj + for _ in range(recurse): + if "$(" not in obj: + break + for k, v in variables.items(): + obj = obj.replace(f"$({k})", v) + if obj == original_obj: + break + if encode and obj.startswith("$(base64(") and obj.endswith("))"): + obj = base64.b64encode(obj[9:-2].encode("utf-8")).decode("ascii").strip() return obj elif isinstance(obj, dict): - return {k: substitute_variables(v, variables) for k, v in obj.items()} + return {k: substitute_variables(v, variables, encode, recurse) for k, v in obj.items()} elif isinstance(obj, list): - return [substitute_variables(v, variables) for v in obj] + return [substitute_variables(v, variables, encode, recurse) for v in obj] + elif callable(obj): + return obj(variables) else: return obj diff --git a/session-manager/handlers/kyverno_rules.py b/session-manager/handlers/kyverno_rules.py index 4c5b96528..1732d67cc 100644 --- a/session-manager/handlers/kyverno_rules.py +++ b/session-manager/handlers/kyverno_rules.py @@ -17,7 +17,7 @@ @synchronized def kyverno_environment_rules(workshop_spec, environment_name): - action = xget(workshop_spec, "session.namespaces.security.rules.action", "enforce") + action = xget(workshop_spec, "session.namespaces.security.rules.action", "Enforce") exclude = xget(workshop_spec, "session.namespaces.security.rules.exclude", []) rules = [] diff --git a/session-manager/handlers/trainingportal.py b/session-manager/handlers/trainingportal.py index bbd2d6be0..3186ec2b0 100644 --- a/session-manager/handlers/trainingportal.py +++ b/session-manager/handlers/trainingportal.py @@ -86,6 +86,8 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, # Calculate name for the portal namespace. portal_name = name + portal_uid = uid + portal_namespace = f"{portal_name}-ui" # Calculate access details for the portal. The hostname used to access the @@ -388,6 +390,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/policy.engine": CLUSTER_SECURITY_POLICY_ENGINE, f"training.{OPERATOR_API_GROUP}/policy.name": "baseline", }, @@ -444,6 +447,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "roleRef": { @@ -472,6 +476,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "roleRef": { @@ -530,6 +535,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, } @@ -544,6 +550,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "type": "kubernetes.io/service-account-token", @@ -557,6 +564,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "roleRef": { @@ -584,6 +592,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "spec": { @@ -604,6 +613,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "data": { @@ -620,6 +630,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/portal.services.dashboard": "true", }, }, @@ -633,6 +644,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "deployment": "training-portal", f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/portal.services.dashboard": "true", }, }, @@ -850,6 +862,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "spec": { @@ -868,6 +881,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, "annotations": {}, }, @@ -936,6 +950,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "spec": { @@ -969,6 +984,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "spec": { @@ -997,6 +1013,7 @@ def training_portal_create(name, uid, body, spec, status, patch, runtime, retry, "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "spec": { diff --git a/session-manager/handlers/workshopallocation.py b/session-manager/handlers/workshopallocation.py index dd06b4d62..de4d84390 100644 --- a/session-manager/handlers/workshopallocation.py +++ b/session-manager/handlers/workshopallocation.py @@ -126,6 +126,7 @@ def workshop_allocation_resume(name, **_): ) def workshop_allocation_create( name, + body, uid, meta, spec, @@ -146,8 +147,16 @@ def workshop_allocation_create( portal_name = meta.get("labels", {}).get( f"training.{OPERATOR_API_GROUP}/portal.name", "" ) + portal_uid = meta.get("labels", {}).get( + f"training.{OPERATOR_API_GROUP}/portal.uid", "" + ) environment_name = spec["environment"]["name"] + + environment_uid = meta.get("labels", {}).get( + f"training.{OPERATOR_API_GROUP}/environment.uid", "" + ) + workshop_namespace = environment_name session_name = spec["session"]["name"] @@ -447,7 +456,9 @@ def workshop_allocation_create( f"training.{OPERATOR_API_GROUP}/component.group": "objects", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.objects": "true", } @@ -483,6 +494,17 @@ def workshop_allocation_create( session_name, ) + report_analytics_event( + "Resource/PermanentError", + { + "kind": "WorkshopAllocation", + "name": name, + "uid": uid, + "retry": retry, + "message": f"Unable to create workshop request objects for workshop session, failed on creating workshop request object {object_name} of type {object_type} in namespace {object_namespace} for workshop session {session_name}.", + }, + ) + patch["status"] = { OPERATOR_STATUS_KEY: { "phase": "Failed", diff --git a/session-manager/handlers/workshopenvironment.py b/session-manager/handlers/workshopenvironment.py index 1903e2b06..133448c03 100644 --- a/session-manager/handlers/workshopenvironment.py +++ b/session-manager/handlers/workshopenvironment.py @@ -123,6 +123,8 @@ def workshop_environment_create( # created. environment_name = name + environment_uid = uid + workshop_namespace = environment_name # Can optionally be passed name of the training portal via a label when the @@ -131,6 +133,9 @@ def workshop_environment_create( portal_name = meta.get("labels", {}).get( f"training.{OPERATOR_API_GROUP}/portal.name", "" ) + portal_uid = meta.get("labels", {}).get( + f"training.{OPERATOR_API_GROUP}/portal.uid", "" + ) # The name of the workshop to be deployed can differ and is taken from the # specification of the workshop environment. Lookup the workshop resource @@ -464,7 +469,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/policy.engine": CLUSTER_SECURITY_POLICY_ENGINE, f"training.{OPERATOR_API_GROUP}/policy.name": "privileged", }, @@ -526,7 +533,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "roleRef": { @@ -558,7 +567,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "roleRef": { @@ -622,7 +633,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -696,7 +709,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "data": { @@ -849,7 +864,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "rules": [ @@ -877,7 +894,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -928,7 +947,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -973,7 +994,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1020,7 +1043,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1096,7 +1121,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, } @@ -1131,7 +1158,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1158,7 +1187,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.mirror": "true", }, }, @@ -1175,7 +1206,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.mirror": "true", }, }, @@ -1285,7 +1318,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1339,7 +1374,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.images": "true", }, }, @@ -1354,7 +1391,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.images": "true", }, }, @@ -1416,7 +1455,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1488,7 +1529,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1531,7 +1574,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "data": {"config.yaml": yaml.dump(artifacts_config, Dumper=yaml.Dumper)}, @@ -1559,7 +1604,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1639,7 +1686,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.assets": "true", }, }, @@ -1654,7 +1703,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.services.assets": "true", }, }, @@ -1737,7 +1788,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1809,7 +1862,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1829,7 +1884,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "data": {}, @@ -1888,7 +1945,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -1965,7 +2024,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, } @@ -1979,7 +2040,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "roleRef": { @@ -2006,7 +2069,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -2020,7 +2085,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -2070,7 +2137,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, }, }, "spec": { @@ -2151,7 +2220,9 @@ def workshop_environment_create( f"training.{OPERATOR_API_GROUP}/component": "environment", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/environment.objects": "true", } ) @@ -2186,6 +2257,17 @@ def workshop_environment_create( environment_name, ) + report_analytics_event( + "Resource/PermanentError", + { + "kind": "WorkshopEnvironment", + "name": name, + "uid": uid, + "retry": retry, + "message": f"Unable to create workshop environment objects, failed creating object {object_name} of type {object_type} in namespace {object_namespace} for workshop environment {environment_name}.", + }, + ) + patch["status"] = { OPERATOR_STATUS_KEY: { "phase": "Failed", diff --git a/session-manager/handlers/workshoprequest.py b/session-manager/handlers/workshoprequest.py index 2e1b562e9..1ffce18e9 100644 --- a/session-manager/handlers/workshoprequest.py +++ b/session-manager/handlers/workshoprequest.py @@ -32,7 +32,12 @@ def workshop_request_create(name, uid, namespace, spec, patch, logger, **_): # resource anyway. First lookup up the desired workshop environment # and determine if it exists and is valid. - portal_name = spec.get("portal", {}).get("name", "") + # NOTE: Details of the portal are not actually available so this will + # result in empty strings. As WorkshopRequest isn't being used anymore + # no big deal. + + # portal_name = spec.get("portal", {}).get("name", "") + # portal_uid = spec.get("portal", {}).get("uid", "") environment_name = spec["environment"]["name"] @@ -120,8 +125,9 @@ def _generate_random_session_id(n=5): "metadata": { "name": session_name, "labels": { - f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, - f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + # f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + # f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, + # f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, }, }, "spec": { @@ -153,8 +159,8 @@ def _generate_random_session_id(n=5): try: WorkshopSession(api, session_body).create() - except pykube.exceptions.PyKubeError as e: - if e.code == 409: + except pykube.exceptions.PyKubeError as exc: + if exc.code == 409: if count >= 20: patch["status"] = {OPERATOR_STATUS_KEY: {"phase": "Failed"}} raise kopf.PermanentError("Unable to generate session.") diff --git a/session-manager/handlers/workshopsession.py b/session-manager/handlers/workshopsession.py index 8435a3f82..843c24378 100644 --- a/session-manager/handlers/workshopsession.py +++ b/session-manager/handlers/workshopsession.py @@ -98,7 +98,9 @@ def _setup_session_namespace( primary_namespace_body, workshop_name, portal_name, + portal_uid, environment_name, + environment_uid, session_name, workshop_namespace, session_namespace, @@ -202,7 +204,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -277,7 +281,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -311,7 +317,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -342,7 +350,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -371,15 +381,10 @@ def _setup_session_namespace( registry_host = applications.property("registry", "host") registry_username = applications.property("registry", "username") registry_password = applications.property("registry", "password") + registry_auth_token = applications.property("registry", "basic_auth_token") registry_secret = applications.property("registry", "secret") - registry_basic_auth = ( - base64.b64encode(f"{registry_username}:{registry_password}".encode("utf-8")) - .decode("ascii") - .strip() - ) - - registry_config = {"auths": {registry_host: {"auth": f"{registry_basic_auth}"}}} + registry_config = {"auths": {registry_host: {"auth": f"{registry_auth_token}"}}} secret_body = { "apiVersion": "v1", @@ -391,7 +396,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -412,7 +419,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, } ) @@ -432,7 +441,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, } ) @@ -448,7 +459,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, } ) @@ -464,7 +477,9 @@ def _setup_session_namespace( f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, } ) @@ -501,7 +516,7 @@ def _setup_session_namespace( "v1beta1", "workshopsessions", ) -def workshop_session_create(name, meta, uid, spec, status, patch, retry, **_): +def workshop_session_create(name, body, meta, uid, spec, status, patch, retry, **_): # Report analytics event indicating processing workshop session. report_analytics_event( @@ -553,6 +568,8 @@ def workshop_session_create(name, meta, uid, spec, status, patch, retry, **_): session_id = spec["session"]["id"] session_namespace = f"{workshop_namespace}-{session_id}" + environment_uid = environment_instance.obj["metadata"]["uid"] + # Can optionally be passed name of the training portal via a label # when the workshop environment is created as a child to a training # portal. @@ -560,6 +577,9 @@ def workshop_session_create(name, meta, uid, spec, status, patch, retry, **_): portal_name = meta.get("labels", {}).get( f"training.{OPERATOR_API_GROUP}/portal.name", "" ) + portal_uid = meta.get("labels", {}).get( + f"training.{OPERATOR_API_GROUP}/portal.uid", "" + ) # We pull details of the workshop to be deployed from the status of the # environment custom resource. This is a copy of the specification from the @@ -640,11 +660,21 @@ def resolve_security_policy(name): registry_host = f"registry-{session_namespace}.{INGRESS_DOMAIN}" registry_username = session_namespace registry_password = "".join(random.sample(characters, 32)) + + registry_auth_token = ( + base64.b64encode(f"{registry_username}:{registry_password}".encode("utf-8")) + .decode("ascii") + .strip() + ) + registry_secret = f"{OPERATOR_NAME_PREFIX}-registry-credentials" applications.properties("registry")["host"] = registry_host applications.properties("registry")["username"] = registry_username applications.properties("registry")["password"] = registry_password + + applications.properties("registry")["basic_auth_token"] = registry_auth_token + applications.properties("registry")["secret"] = registry_secret # Generate a random password to be used for any services or applications @@ -717,7 +747,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/policy.engine": CLUSTER_SECURITY_POLICY_ENGINE, f"training.{OPERATOR_API_GROUP}/policy.name": namespace_security_policy, @@ -737,7 +769,7 @@ def resolve_security_policy(name): pykube.Namespace(api, namespace_body).create() except pykube.exceptions.PyKubeError as exc: - if e.code == 409: + if exc.code == 409: patch["status"] = {OPERATOR_STATUS_KEY: {"phase": "Pending"}} raise kopf.TemporaryError( f"Namespace {session_namespace} already exists." @@ -809,7 +841,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -844,6 +878,7 @@ def resolve_security_policy(name): "labels": { f"training.{OPERATOR_API_GROUP}/component": "portal", f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, }, }, "type": "kubernetes.io/service-account-token", @@ -880,7 +915,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -925,7 +962,9 @@ def resolve_security_policy(name): namespace_instance.obj, workshop_name, portal_name, + portal_uid, environment_name, + environment_uid, session_name, workshop_namespace, session_namespace, @@ -1017,12 +1056,10 @@ def resolve_security_policy(name): application_variables_list = workshop_spec.get("session").get("variables", []) - application_variables_list = substitute_variables( - application_variables_list, session_variables - ) - for variable in application_variables_list: - session_variables[variable["name"]] = variable["value"] + session_variables[variable["name"]] = substitute_variables( + variable["value"], session_variables + ) if applications.is_enabled("registry"): session_variables.update( @@ -1030,6 +1067,7 @@ def resolve_security_policy(name): registry_host=registry_host, registry_username=registry_username, registry_password=registry_password, + registry_auth_token=registry_auth_token, registry_secret=registry_secret, ) ) @@ -1070,7 +1108,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -1109,7 +1149,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component.group": "variables", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -1128,8 +1170,8 @@ def resolve_security_policy(name): try: pykube.Secret(api, variables_secret_body).create() - except pykube.exceptions.PyKubeError as e: - if e.code == 409: + except pykube.exceptions.PyKubeError as exc: + if exc.code == 409: patch["status"] = {OPERATOR_STATUS_KEY: {"phase": "Failed"}} raise kopf.TemporaryError( f"Session variables secret {session_namespace}-session already exists." @@ -1166,7 +1208,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/policy.engine": CLUSTER_SECURITY_POLICY_ENGINE, f"training.{OPERATOR_API_GROUP}/policy.name": target_security_policy, @@ -1187,8 +1231,8 @@ def resolve_security_policy(name): try: pykube.Namespace(api, namespace_body).create() - except pykube.exceptions.PyKubeError as e: - if e.code == 409: + except pykube.exceptions.PyKubeError as exc: + if exc.code == 409: patch["status"] = {OPERATOR_STATUS_KEY: {"phase": "Failed"}} raise kopf.TemporaryError( f"Secondary namespace {target_namespace} already exists." @@ -1199,7 +1243,9 @@ def resolve_security_policy(name): namespace_instance.obj, workshop_name, portal_name, + portal_uid, environment_name, + environment_uid, session_name, workshop_namespace, session_namespace, @@ -1249,7 +1295,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.objects": "true", } @@ -1357,6 +1405,17 @@ def resolve_security_policy(name): session_name, ) + report_analytics_event( + "Resource/PermanentError", + { + "kind": "WorkshopSession", + "name": name, + "uid": uid, + "retry": retry, + "message": f"Unable to create workshop session objects, failed creating object {object_name} of type {object_type} in namespace {object_namespace} for workshop session {session_name}.", + }, + ) + patch["status"] = { OPERATOR_STATUS_KEY: { "phase": "Failed", @@ -1374,7 +1433,9 @@ def resolve_security_policy(name): namespace_instance.obj, workshop_name, portal_name, + portal_uid, environment_name, + environment_uid, session_name, workshop_namespace, session_namespace, @@ -1408,6 +1469,17 @@ def resolve_security_policy(name): session_name, ) + report_analytics_event( + "Resource/PermanentError", + { + "kind": "WorkshopSession", + "name": name, + "uid": uid, + "retry": retry, + "message": f"Unable to create workshop session objects, failed creating object {object_name} of type {object_type} in namespace {object_namespace} for workshop session {session_name}.", + }, + ) + patch["status"] = { OPERATOR_STATUS_KEY: { "phase": "Failed", @@ -1508,7 +1580,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/application": "workshop", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.services.workshop": "true", }, @@ -1525,7 +1599,9 @@ def resolve_security_policy(name): f"training.{OPERATOR_API_GROUP}/application": "workshop", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.services.workshop": "true", }, @@ -1986,7 +2062,9 @@ def vendir_secrets_required(contents): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2124,7 +2202,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2272,7 +2352,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2333,7 +2415,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2411,12 +2495,6 @@ def _apply_environment_patch(patch): # Add in extra configuration for registry and create session objects. if applications.is_enabled("registry"): - registry_basic_auth = ( - base64.b64encode(f"{registry_username}:{registry_password}".encode("utf-8")) - .decode("ascii") - .strip() - ) - registry_htpasswd_hash = bcrypt.hashpw( bytes(registry_password, "ascii"), bcrypt.gensalt(prefix=b"2a") ).decode("ascii") @@ -2441,6 +2519,12 @@ def _apply_environment_patch(patch): "value": registry_password, } ) + additional_env.append( + { + "name": "REGISTRY_AUTH_TOKEN", + "value": registry_auth_token, + } + ) additional_env.append( { "name": "REGISTRY_SECRET", @@ -2509,7 +2593,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2524,7 +2610,7 @@ def _apply_environment_patch(patch): "storageClassName" ] = CLUSTER_STORAGE_CLASS - registry_config = {"auths": {registry_host: {"auth": f"{registry_basic_auth}"}}} + registry_config = {"auths": {registry_host: {"auth": f"{registry_auth_token}"}}} registry_config_map_body = { "apiVersion": "v1", @@ -2536,7 +2622,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2560,7 +2648,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "registry", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.services.registry": "true", }, @@ -2579,7 +2669,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "registry", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, f"training.{OPERATOR_API_GROUP}/session.services.registry": "true", }, @@ -2700,7 +2792,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "registry", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2723,7 +2817,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "registry", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2804,7 +2900,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/component": "session", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -2867,7 +2965,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "workshop", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -3009,7 +3109,9 @@ def _apply_environment_patch(patch): f"training.{OPERATOR_API_GROUP}/application": "workshop", f"training.{OPERATOR_API_GROUP}/workshop.name": workshop_name, f"training.{OPERATOR_API_GROUP}/portal.name": portal_name, + f"training.{OPERATOR_API_GROUP}/portal.uid": portal_uid, f"training.{OPERATOR_API_GROUP}/environment.name": environment_name, + f"training.{OPERATOR_API_GROUP}/environment.uid": environment_uid, f"training.{OPERATOR_API_GROUP}/session.name": session_name, }, }, @@ -3128,22 +3230,14 @@ def _apply_environment_patch(patch): # Set the URL for accessing the workshop session directly in the # status. This would only be used if directly creating workshop # session and not when using training portal. Set phase to Running - # if standalone workshop environment or Available if associated - # with a training portal. The latter can be overridden though if - # the training portal had already set the phase before the operator - # had managed to process the resource. + # if standalone workshop environment. Where created by a training + # portal it will set the status itself appropriately. url = f"{INGRESS_PROTOCOL}://{session_hostname}" phase = "Running" - if portal_name: - phase = status.get(OPERATOR_STATUS_KEY, {}).get("phase", "Available") - - patch["status"] = {} - - patch["status"][OPERATOR_STATUS_KEY] = { - "phase": phase, + changes = { "message": None, "url": url, "sshd": { @@ -3154,6 +3248,13 @@ def _apply_environment_patch(patch): }, } + if not portal_name: + changes["phase"] = phase + + patch["status"] = { + OPERATOR_STATUS_KEY: changes, + } + @kopf.on.delete( f"training.{OPERATOR_API_GROUP}", diff --git a/session-manager/packages/contour/upstream/00-common.yaml b/session-manager/packages/contour/upstream/00-common.yaml new file mode 100644 index 000000000..c037ee61b --- /dev/null +++ b/session-manager/packages/contour/upstream/00-common.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour diff --git a/session-manager/packages/contour/upstream/01-contour-config.yaml b/session-manager/packages/contour/upstream/01-contour-config.yaml new file mode 100644 index 000000000..59b89005e --- /dev/null +++ b/session-manager/packages/contour/upstream/01-contour-config.yaml @@ -0,0 +1,185 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the Gateway API configuration. + # gateway: + # controllerName: projectcontour.io/gateway-controller + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # + # Disable Envoy's non-standard merge_slashes path transformation option + # that strips duplicate slashes from request URLs. + # disableMergeSlashes: false + # + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + #### + # ExternalName Services are disabled by default due to CVE-2021-XXXXX + # You can re-enable them by setting this setting to `true`. + # This is not recommended without understanding the security implications. + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. + # enableExternalNameService: false + ## + # Address to be placed in status.loadbalancer field of Ingress objects. + # May be either a literal IP address or a host name. + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. + # ingress-status-address: local.projectcontour.io + ### Logging options + # Default setting + accesslog-format: envoy + # The default access log format is defined by Envoy but it can be customized by setting following variable. + # accesslog-format-string: "...\n" + # To enable JSON logging in Envoy + # accesslog-format: json + # accesslog-level: info + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # - "grpc_status" + # - "grpc_status_number" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # connect-timeout: 2s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # Configure the port used to access the Envoy Admin interface. + # admin-port: 9001 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED + # instead of the default UNAVAILABLE + # enableResourceExhaustedCode: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + # metrics: + # contour: + # address: 0.0.0.0 + # port: 8000 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # envoy: + # address: 0.0.0.0 + # port: 8002 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # + # listener: + # connection-balancer: exact + # socket-options: + # tos: 64 + # traffic-class: 64 diff --git a/session-manager/packages/contour/upstream/01-crds.yaml b/session-manager/packages/contour/upstream/01-crds.yaml new file mode 100644 index 000000000..6695ac9b8 --- /dev/null +++ b/session-manager/packages/contour/upstream/01-crds.yaml @@ -0,0 +1,8547 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: contourconfigurations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourConfiguration + listKind: ContourConfigurationList + plural: contourconfigurations + shortNames: + - contourconfig + singular: contourconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourConfiguration is the schema for a Contour instance. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. + properties: + debug: + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". + type: string + port: + description: |- + Defines the Contour debug address port. + Contour's default is 6060. + type: integer + type: object + enableExternalNameService: + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. + type: boolean + envoy: + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. + properties: + circuitBreakers: + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object + dnsLookupFamily: + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. + type: string + maxRequestsPerConnection: + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + type: object + defaultHTTPVersions: + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. + items: + description: HTTPVersionType is the name of a supported HTTP + version. + type: string + type: array + health: + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. + type: string + disableAllowChunkedLength: + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. + type: boolean + disableMergeSlashes: + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. + type: boolean + httpMaxConcurrentStreams: + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. + format: int32 + minimum: 1 + type: integer + maxConnectionsPerListener: + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. + format: int32 + minimum: 1 + type: integer + maxRequestsPerConnection: + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + maxRequestsPerIOCycle: + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + serverHeaderTransformation: + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. + type: string + socketOptions: + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. + properties: + tos: + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + trafficClass: + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + type: object + tls: + description: TLS holds various configurable Envoy TLS listener + values. + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + useProxyProtocol: + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. + type: string + accessLogFormatString: + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. + type: string + accessLogJSONFields: + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. + type: integer + numTrustedHops: + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. + format: int32 + type: integer + type: object + service: + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. + properties: + connectTimeout: + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. + type: string + connectionIdleTimeout: + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. + type: string + connectionShutdownGracePeriod: + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. + type: string + delayedCloseTimeout: + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. + type: string + maxConnectionDuration: + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. + type: string + requestTimeout: + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. + type: string + type: object + type: object + featureFlags: + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. + items: + type: string + type: array + gateway: + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. + properties: + controllerName: + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. + Deprecated: users should use GatewayRef, or the Gateway provisioner, + in place of this field. This field will be removed in a future release. + type: string + gatewayRef: + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + globalExtAuth: + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy will + buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of message + body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to Authorization + Server is in raw bytes. + type: boolean + type: object + type: object + health: + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces for + root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor entry + with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of the + descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the key + to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name of + the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be equal + to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of the + descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableResourceExhaustedCode: + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + type: boolean + enableXRateLimitHeaders: + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + tracing: + description: Tracing defines properties for exporting trace data to + OpenTelemetry. + properties: + customTags: + description: CustomTags defines a list of custom tags with unique + tag name. + items: + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. + properties: + literal: + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. + type: string + requestHeaderName: + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. + type: string + tagName: + description: TagName is the unique name of the custom tag. + type: string + required: + - tagName + type: object + type: array + extensionService: + description: ExtensionService identifies the extension service + defining the otel-collector. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + includePodDetail: + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + type: boolean + maxPathTagLength: + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. + format: int32 + type: integer + overallSampling: + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. + type: string + serviceName: + description: |- + ServiceName defines the name for the service. + contour's default is contour. + type: string + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". + minLength: 1 + type: string + port: + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. + type: string + type: object + type: object + status: + description: ContourConfigurationStatus defines the observed state of + a ContourConfiguration resource. + properties: + conditions: + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: contourdeployments.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourDeployment + listKind: ContourDeploymentList + plural: contourdeployments + shortNames: + - contourdeploy + singular: contourdeployment + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourDeployment is the schema for a Contour Deployment. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + ContourDeploymentSpec specifies options for how a Contour + instance should be provisioned. + properties: + contour: + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. + properties: + deployment: + description: Deployment describes the settings for running contour + as a `Deployment`. + properties: + replicas: + description: Replicas is the desired number of replicas. + format: int32 + minimum: 0 + type: integer + strategy: + description: Strategy describes the deployment strategy to + use to replace existing pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + disabledFeatures: + description: |- + DisabledFeatures defines an array of resources that will be ignored by + contour reconciler. + items: + enum: + - grpcroutes + - tlsroutes + - extensionservices + - backendtlspolicies + type: string + maxItems: 42 + minItems: 1 + type: array + kubernetesLogLevel: + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. + maximum: 9 + minimum: 0 + type: integer + logLevel: + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". + type: string + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Contour pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. + type: object + tolerations: + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. + type: object + replicas: + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + format: int32 + minimum: 0 + type: integer + resources: + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + watchNamespaces: + description: |- + WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance + to only watch this subset of namespaces. + items: + description: |- + Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label. + This validation is based off of the corresponding Kubernetes validation: + https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187 + This is used for Namespace name validation here: + https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63 + Valid values include: + * "example" + Invalid values include: + * "example.com" - "." is an invalid character + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + maxItems: 42 + minItems: 1 + type: array + type: object + envoy: + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. + properties: + baseID: + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. + format: int32 + minimum: 0 + type: integer + daemonSet: + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil + properties: + updateStrategy: + description: Strategy describes the deployment strategy to + use to replace existing DaemonSet pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + type: object + deployment: + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil + properties: + replicas: + description: Replicas is the desired number of replicas. + format: int32 + minimum: 0 + type: integer + strategy: + description: Strategy describes the deployment strategy to + use to replace existing pods with new pods. + properties: + rollingUpdate: + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + extraVolumeMounts: + description: ExtraVolumeMounts holds the extra volume mounts to + add (normally used with extraVolumes). + items: + description: VolumeMount describes a mounting of a Volume within + a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + extraVolumes: + description: ExtraVolumes holds the extra volumes to add. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount + on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the + blob storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure managed + data disk (only in managed availability set). defaults + to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host + that shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the + pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the + pod: only annotations, labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must not + be absolute or contain the ''..'' path. Must + be utf-8 encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that + is attached to a kubelet's host machine and then exposed + to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use + for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along + with other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the + downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the secret + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether the Secret + or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + logLevel: + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". + type: string + networkPublishing: + description: NetworkPublishing defines how to expose Envoy to + a network. + properties: + externalTrafficPolicy: + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". + type: string + ipFamilyPolicy: + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). + type: string + serviceAnnotations: + additionalProperties: + type: string + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. + type: object + type: + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes + NodePort Service is created to publish the network endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes + ClusterIP Service is created to publish the network endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. + type: string + type: object + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Envoy pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. + type: object + tolerations: + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + overloadMaxHeapSize: + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ + format: int64 + type: integer + podAnnotations: + additionalProperties: + type: string + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. + type: object + replicas: + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + format: int32 + minimum: 0 + type: integer + resources: + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + workloadType: + description: |- + WorkloadType is the type of workload to install Envoy + as. Choices are DaemonSet and Deployment. If unset, defaults + to DaemonSet. + type: string + type: object + resourceLabels: + additionalProperties: + type: string + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. + type: object + runtimeSettings: + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. + properties: + debug: + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". + type: string + port: + description: |- + Defines the Contour debug address port. + Contour's default is 6060. + type: integer + type: object + enableExternalNameService: + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. + type: boolean + envoy: + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. + properties: + circuitBreakers: + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object + dnsLookupFamily: + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. + type: string + maxRequestsPerConnection: + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + type: object + defaultHTTPVersions: + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. + items: + description: HTTPVersionType is the name of a supported + HTTP version. + type: string + type: array + health: + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. + type: string + disableAllowChunkedLength: + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. + type: boolean + disableMergeSlashes: + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. + type: boolean + httpMaxConcurrentStreams: + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. + format: int32 + minimum: 1 + type: integer + maxConnectionsPerListener: + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. + format: int32 + minimum: 1 + type: integer + maxRequestsPerConnection: + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information. + format: int32 + minimum: 1 + type: integer + maxRequestsPerIOCycle: + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. + format: int32 + minimum: 1 + type: integer + per-connection-buffer-limit-bytes: + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + for more information. + format: int32 + minimum: 1 + type: integer + serverHeaderTransformation: + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. + type: string + socketOptions: + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. + properties: + tos: + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + trafficClass: + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. + format: int32 + maximum: 255 + minimum: 0 + type: integer + type: object + tls: + description: TLS holds various configurable Envoy TLS + listener values. + properties: + cipherSuites: + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + items: + type: string + type: array + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. + type: string + type: object + useProxyProtocol: + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. + type: string + accessLogFormatString: + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. + type: string + accessLogJSONFields: + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. + type: integer + numTrustedHops: + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. + format: int32 + type: integer + type: object + service: + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. + properties: + connectTimeout: + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. + type: string + connectionIdleTimeout: + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. + type: string + connectionShutdownGracePeriod: + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. + type: string + delayedCloseTimeout: + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. + type: string + maxConnectionDuration: + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. + type: string + requestTimeout: + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. + type: string + type: object + type: object + featureFlags: + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. + items: + type: string + type: array + gateway: + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. + properties: + controllerName: + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. + Deprecated: users should use GatewayRef, or the Gateway provisioner, + in place of this field. This field will be removed in a future release. + type: string + gatewayRef: + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + globalExtAuth: + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + type: object + health: + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableResourceExhaustedCode: + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + type: boolean + enableXRateLimitHeaders: + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + tracing: + description: Tracing defines properties for exporting trace data + to OpenTelemetry. + properties: + customTags: + description: CustomTags defines a list of custom tags with + unique tag name. + items: + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. + properties: + literal: + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. + type: string + requestHeaderName: + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. + type: string + tagName: + description: TagName is the unique name of the custom + tag. + type: string + required: + - tagName + type: object + type: array + extensionService: + description: ExtensionService identifies the extension service + defining the otel-collector. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + includePodDetail: + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + type: boolean + maxPathTagLength: + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. + format: int32 + type: integer + overallSampling: + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. + type: string + serviceName: + description: |- + ServiceName defines the name for the service. + contour's default is contour. + type: string + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". + minLength: 1 + type: string + port: + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. + type: string + type: object + type: object + type: object + status: + description: ContourDeploymentStatus defines the observed state of a ContourDeployment + resource. + properties: + conditions: + description: Conditions describe the current conditions of the ContourDeployment + resource. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. + enum: + - v3 + type: string + services: + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. + items: + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. + properties: + name: + description: |- + Name is the name of Kubernetes service that will accept service + traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' + required: + - services + type: object + status: + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. + properties: + conditions: + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. + items: + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. + properties: + exact: + description: |- + Exact defines a exact match for a request. + This field is not allowed in include match conditions. + type: string + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + queryParameter: + description: QueryParameter specifies the query parameter + condition to match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the query parameter value. + type: string + exact: + description: Exact specifies a string that the query + parameter value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. + type: string + prefix: + description: Prefix defines a prefix match for the + query parameter value. + type: string + present: + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. + type: string + suffix: + description: Suffix defines a suffix match for a query + parameter value. + type: string + required: + - name + type: object + regex: + description: |- + Regex defines a regex match for a request. + This field is not allowed in include match conditions. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + ingressClassName: + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. + type: string + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + conditions: + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. + items: + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. + properties: + exact: + description: |- + Exact defines a exact match for a request. + This field is not allowed in include match conditions. + type: string + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + queryParameter: + description: QueryParameter specifies the query parameter + condition to match. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the query parameter value. + type: string + exact: + description: Exact specifies a string that the query + parameter value must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. + type: string + prefix: + description: Prefix defines a prefix match for the + query parameter value. + type: string + present: + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. + type: string + suffix: + description: Suffix defines a suffix match for a query + parameter value. + type: string + required: + - name + type: object + regex: + description: |- + Regex defines a regex match for a request. + This field is not allowed in include match conditions. + type: string + type: object + type: array + cookieRewritePolicies: + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + directResponsePolicy: + description: DirectResponsePolicy returns an arbitrary HTTP + response directly. + properties: + body: + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. + type: string + statusCode: + description: StatusCode is the HTTP response status to be + returned. + maximum: 599 + minimum: 200 + type: integer + required: + - statusCode + type: object + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + expectedStatuses: + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. + items: + properties: + end: + description: The end (exclusive) of a range of HTTP + status codes. + format: int64 + maximum: 600 + minimum: 101 + type: integer + start: + description: The start (inclusive) of a range of HTTP + status codes. + format: int64 + maximum: 599 + minimum: 100 + type: integer + required: + - end + - start + type: object + type: array + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + internalRedirectPolicy: + description: The policy to define when to handle redirects responses + internally. + properties: + allowCrossSchemeRedirect: + default: Never + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. + enum: + - Always + - Never + - SafeOnly + type: string + denyRepeatedRouteRedirect: + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. + type: boolean + maxInternalRedirects: + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. + format: int32 + type: integer + redirectResponseCodes: + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. + items: + description: RedirectResponseCode is a uint32 type alias + with validation to ensure that the value is valid. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: int32 + type: integer + type: array + type: object + ipAllowPolicy: + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + ipDenyPolicy: + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + jwtVerificationPolicy: + description: The policy for verifying JWTs for requests to this + route. + properties: + disabled: + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. + type: boolean + require: + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. + type: string + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + pathRewritePolicy: + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. + minLength: 1 + type: string + replacement: + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + local: + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. + properties: + burst: + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. + format: int32 + type: integer + requests: + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + requestRedirectPolicy: + description: RequestRedirectPolicy defines an HTTP redirection. + properties: + hostname: + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. + pattern: ^\/.*$ + type: string + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. + pattern: ^\/.*$ + type: string + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status code to be used + in response. + enum: + - 301 + - 302 + type: integer + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + default: 1 + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. + format: int64 + minimum: -1 + type: integer + perTryTimeout: + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. + items: + format: int32 + type: integer + type: array + retryOn: + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for + which attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + healthPort: + description: |- + HealthPort is the port for this service healthcheck. + If not specified, Port is used for service healthchecks. + maximum: 65535 + minimum: 1 + type: integer + mirror: + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values + type: boolean + name: + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + slowStartPolicy: + description: Slow start will gradually increase amount + of traffic to a newly added endpoint. + properties: + aggression: + default: "1.0" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ + type: string + minWeightPercent: + default: 10 + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + window: + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + required: + - window + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. + properties: + requestHashPolicies: + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. + items: + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. + properties: + hashSourceIP: + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + headerName: + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. + properties: + parameterName: + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. + properties: + value: + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + healthPort: + description: |- + HealthPort is the port for this service healthcheck. + If not specified, Port is used for service healthchecks. + maximum: 65535 + minimum: 1 + type: integer + mirror: + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values + type: boolean + name: + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + slowStartPolicy: + description: Slow start will gradually increase amount of + traffic to a newly added endpoint. + properties: + aggression: + default: "1.0" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ + type: string + minWeightPercent: + default: 10 + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + window: + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + required: + - window + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. + properties: + authorization: + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. + properties: + authPolicy: + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. + properties: + context: + additionalProperties: + type: string + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. + type: object + disabled: + description: |- + When true, this field disables client request authentication + for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + allowOrigin: + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. + items: + type: string + minItems: 1 + type: array + allowPrivateNetwork: + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. + type: boolean + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + minItems: 1 + type: array + maxAge: + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + ipAllowPolicy: + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + ipDenyPolicy: + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. + items: + properties: + cidr: + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. + type: string + source: + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. + enum: + - Peer + - Remote + type: string + required: + - cidr + - source + type: object + type: array + jwtProviders: + description: Providers to use for verifying JSON Web Tokens (JWTs) + on the virtual host. + items: + description: JWTProvider defines how to verify JWTs on requests. + properties: + audiences: + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. + items: + type: string + type: array + default: + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly + identify the provider they require. + type: boolean + forwardJWT: + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, + the JWT is not forwarded. + type: boolean + issuer: + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. + type: string + name: + description: Unique name for the provider. + minLength: 1 + type: string + remoteJWKS: + description: Remote JWKS to use for verifying JWT signatures. + properties: + cacheDuration: + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + dnsLookupFamily: + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + enum: + - auto + - v4 + - v6 + type: string + timeout: + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ + type: string + uri: + description: The URI for the JWKS. + minLength: 1 + type: string + validation: + description: UpstreamValidation defines how to verify + the JWKS's TLS certificate. + properties: + caSecret: + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + maxLength: 317 + minLength: 1 + type: string + subjectName: + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. + maxLength: 250 + minLength: 1 + type: string + subjectNames: + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array + required: + - caSecret + - subjectName + type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' + required: + - uri + type: object + required: + - name + - remoteJWKS + type: object + type: array + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. + properties: + descriptors: + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). + type: object + requestHeader: + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. + properties: + expectMatch: + default: true + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. + items: + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. + properties: + contains: + description: |- + Contains specifies a substring that must be present in + the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + ignoreCase: + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. + type: boolean + name: + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. + type: string + notcontains: + description: |- + NotContains specifies a substring that must not be present + in the header value. + type: string + notexact: + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. + type: string + notpresent: + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. + type: boolean + present: + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. + type: boolean + regex: + description: |- + Regex specifies a regular expression pattern that must match the header + value. + type: string + treatMissingAsEmpty: + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + disabled: + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. + type: boolean + type: object + local: + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. + properties: + burst: + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. + format: int32 + type: integer + requests: + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. + properties: + clientValidation: + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. + properties: + caSecret: + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + minLength: 1 + type: string + crlOnlyVerifyLeafCert: + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. + type: boolean + crlSecret: + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + minLength: 1 + type: string + forwardClientCertificate: + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. + properties: + cert: + description: Client cert in URL encoded PEM format. + type: boolean + chain: + description: Client cert chain (including the leaf + cert) in URL encoded PEM format. + type: boolean + dns: + description: DNS type Subject Alternative Names of + the client cert. + type: boolean + subject: + description: Subject of the client cert. + type: boolean + uri: + description: URI type Subject Alternative Name of + the client cert. + type: boolean + type: object + optionalClientCertificate: + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. + type: boolean + skipClientCertValidation: + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. + type: boolean + type: object + enableFallbackCertificate: + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. + type: boolean + maximumProtocolVersion: + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. + type: string + minimumProtocolVersion: + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. + type: string + passthrough: + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. + type: boolean + secretName: + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. + If specified, the named secret must contain a matching certificate + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + default: + currentStatus: NotReconciled + description: Waiting for controller + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. + properties: + conditions: + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. + items: + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. + properties: + errors: + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. + items: + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. + properties: + message: + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/session-manager/packages/contour/upstream/02-job-certgen.yaml b/session-manager/packages/contour/upstream/02-job-certgen.yaml new file mode 100644 index 000000000..54dc987f7 --- /dev/null +++ b/session-manager/packages/contour/upstream/02-job-certgen.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-v1-28-5 + namespace: projectcontour +spec: + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 diff --git a/session-manager/packages/contour/upstream/02-rbac.yaml b/session-manager/packages/contour/upstream/02-rbac.yaml new file mode 100644 index 000000000..9766df6a9 --- /dev/null +++ b/session-manager/packages/contour/upstream/02-rbac.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour-rolebinding + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour diff --git a/session-manager/packages/contour/upstream/02-role-contour.yaml b/session-manager/packages/contour/upstream/02-role-contour.yaml new file mode 100644 index 000000000..21bf57381 --- /dev/null +++ b/session-manager/packages/contour/upstream/02-role-contour.yaml @@ -0,0 +1,116 @@ +# The following ClusterRole and Role are generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: contour +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - namespaces + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies + - gatewayclasses + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update diff --git a/session-manager/packages/contour/upstream/02-service-contour.yaml b/session-manager/packages/contour/upstream/02-service-contour.yaml new file mode 100644 index 000000000..8be5bc9a7 --- /dev/null +++ b/session-manager/packages/contour/upstream/02-service-contour.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP diff --git a/session-manager/packages/contour/upstream/02-service-envoy.yaml b/session-manager/packages/contour/upstream/02-service-envoy.yaml new file mode 100644 index 000000000..1da8fc0a6 --- /dev/null +++ b/session-manager/packages/contour/upstream/02-service-envoy.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: envoy + namespace: projectcontour + annotations: + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + targetPort: 8080 + - port: 443 + name: https + protocol: TCP + targetPort: 8443 + selector: + app: envoy + type: LoadBalancer diff --git a/session-manager/packages/contour/upstream/03-contour.yaml b/session-manager/packages/contour/upstream/03-contour.yaml new file mode 100644 index 000000000..331d87d6c --- /dev/null +++ b/session-manager/packages/contour/upstream/03-contour.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml diff --git a/session-manager/packages/contour/upstream/03-envoy.yaml b/session-manager/packages/contour/upstream/03-envoy.yaml new file mode 100644 index 000000000..cf3ecb6f9 --- /dev/null +++ b/session-manager/packages/contour/upstream/03-envoy.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.29.5 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:v1.28.5 + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 diff --git a/session-manager/packages/contour/upstream/README.md b/session-manager/packages/contour/upstream/README.md new file mode 100644 index 000000000..5edf32fc8 --- /dev/null +++ b/session-manager/packages/contour/upstream/README.md @@ -0,0 +1,84 @@ +# Contour Installation + +This is an installation guide to configure Contour in a Deployment separate from Envoy which allows for easier scaling of each component. + +This configuration has several advantages: + +1. Envoy runs as a daemonset which allows for distributed scaling across workers in the cluster +2. Communication between Contour and Envoy is secured by mutually-checked self-signed certificates. + +## Moving parts + +- Contour is run as Deployment and Envoy as a Daemonset +- Envoy runs on host networking +- Envoy runs on ports 80 & 443 + +The TLS secrets used to secure the gRPC session between Contour and Envoy are generated using a Job that runs `contour certgen`. +For detailed instructions on how to configure the required secrets manually, see the [step-by-step TLS HOWTO](https://projectcontour.io/docs/main/grpc-tls-howto). + +## Deploy Contour + +Either: + +1. Run `kubectl apply -f https://projectcontour.io/quickstart/contour.yaml` + +or: +Clone or fork the repository, then run: + +```bash +kubectl apply -f examples/contour +``` + +This will: + +- set up RBAC and Contour's CRDs (CRDs include HTTPProxy, TLSCertificateDelegation) +- run a Kubernetes Job that will generate one-year validity certs and put them into `projectcontour` +- Install Contour and Envoy in a Deployment and Daemonset respectively. + +**NOTE**: The current configuration exposes the `/stats` path from the Envoy Admin UI so that Prometheus can scrape for metrics. + +## Test + +1. Install a workload (see the kuard example in the [main deployment guide](https://projectcontour.io/docs/main/deploy-options/#test-with-httpproxy)). + +## Deploying with Host Networking enabled for Envoy + +In order to deploy the Envoy Daemonset with host networking enabled, you need to make two changes. + +In the Envoy daemonset definition, at the Pod spec level, change: + +```yaml +dnsPolicy: ClusterFirst +``` + +to + +```yaml +dnsPolicy: ClusterFirstWithHostNet +``` + +and add + +```yaml +hostNetwork: true +``` + +Then, in the Envoy Service definition, change the annotation from: + +```yaml + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +``` + +to + +```yaml + service.beta.kubernetes.io/aws-load-balancer-type: nlb +``` + +Then, apply the example as normal. This will still deploy a LoadBalancer Service, but it will be an NLB instead of an ELB. diff --git a/session-manager/requirements.txt b/session-manager/requirements.txt index 63a32f28c..b7707c43f 100644 --- a/session-manager/requirements.txt +++ b/session-manager/requirements.txt @@ -1,6 +1,6 @@ kopf[full-auth]==1.36.2 bcrypt==4.1.2 -aiohttp==3.9.4 +aiohttp==3.10.2 PyYAML==6.0.1 pykube-ng==23.6.0 wrapt==1.15.0 diff --git a/training-portal/requirements.txt b/training-portal/requirements.txt index 96824d245..d12510774 100644 --- a/training-portal/requirements.txt +++ b/training-portal/requirements.txt @@ -1,5 +1,5 @@ mod_wsgi==5.0.0 -Django==4.2.11 +Django==4.2.15 django-registration==3.4 django-crispy-forms==2.1 crispy-bootstrap5==2023.10 diff --git a/training-portal/src/project/apps/workshops/manager/cleanup.py b/training-portal/src/project/apps/workshops/manager/cleanup.py index bfe27f1a4..8aef9cee0 100644 --- a/training-portal/src/project/apps/workshops/manager/cleanup.py +++ b/training-portal/src/project/apps/workshops/manager/cleanup.py @@ -108,17 +108,30 @@ def purge_expired_workshop_sessions(): # workshop session. idle_time = timedelta(seconds=response.json()["idle-time"]) + last_view = timedelta(seconds=response.json()["last-view"]) if idle_time >= session.environment.orphaned: logger.info( - "Schedule deletion of orphaned workshop session %s.", + "Schedule deletion of orphaned workshop session %s after period of %s seconds.", session.name, + idle_time.total_seconds(), ) report_analytics_event(session, "Session/Orphaned") delete_workshop_session(session).schedule() + elif last_view >= (3 * session.environment.orphaned): + logger.info( + "Schedule deletion of inactive workshop session %s after period of %s seconds.", + session.name, + last_view.total_seconds(), + ) + + report_analytics_event(session, "Session/Inactive") + + delete_workshop_session(session).schedule() + else: # XXX If we don't get a valid response then not # currently doing anything. Need a better method to diff --git a/training-portal/src/project/apps/workshops/manager/environments.py b/training-portal/src/project/apps/workshops/manager/environments.py index aecea2e3b..787238c2e 100644 --- a/training-portal/src/project/apps/workshops/manager/environments.py +++ b/training-portal/src/project/apps/workshops/manager/environments.py @@ -421,6 +421,10 @@ def update_workshop_environments(training_portal, workshops): environment.save() + update_environment_status_details( + environment.name, environment.capacity, environment.reserved + ) + @background_task @resources_lock @@ -496,6 +500,7 @@ def process_workshop_environment(portal, workshop, position): "name": environment.name, "labels": { f"training.{settings.OPERATOR_API_GROUP}/portal.name": portal.name, + f"training.{settings.OPERATOR_API_GROUP}/portal.uid": portal.uid, }, "ownerReferences": [ { @@ -523,6 +528,13 @@ def process_workshop_environment(portal, workshop, position): "theme": {"name": settings.THEME_NAME}, "cookies": {"domain": settings.SESSION_COOKIE_DOMAIN}, }, + "status": { + settings.OPERATOR_STATUS_KEY: { + "capacity": environment.capacity, + "initial": environment.initial, + "reserved": environment.reserved, + }, + }, } if settings.GOOGLE_TRACKING_ID is not None: @@ -644,3 +656,42 @@ def replace_workshop_environment(environment): # Now schedule creation of the replacement workshop session. process_workshop_environment(environment.portal, workshop, position).schedule() + + +def update_environment_status_details(name, capacity, reserved): + """Update the capacity for the workshop environment recorded in the status.""" + + try: + K8SWorkshopEnvironment = pykube.object_factory( + api, + f"training.{settings.OPERATOR_API_GROUP}/v1beta1", + "WorkshopEnvironment", + ) + + resource = K8SWorkshopEnvironment.objects(api).get(name=name) + + # The status may not exist as yet if not processed by the operator. + + status = resource.obj.setdefault("status", {}).setdefault( + settings.OPERATOR_STATUS_KEY, {} + ) + + status["capacity"] = capacity + status["reserved"] = reserved + + resource.update() + + logger.info( + "Updated status of workshop environment %s with capacity=%s and reserved=%s.", + name, + capacity, + reserved, + ) + + except pykube.exceptions.ObjectDoesNotExist: + pass + + except pykube.exceptions.PyKubeError: + logger.exception( + "Failed to update status details of workshop environment %s.", name + ) diff --git a/training-portal/src/project/apps/workshops/manager/sessions.py b/training-portal/src/project/apps/workshops/manager/sessions.py index 49018c9e9..a1864c653 100644 --- a/training-portal/src/project/apps/workshops/manager/sessions.py +++ b/training-portal/src/project/apps/workshops/manager/sessions.py @@ -72,6 +72,7 @@ def create_request_resources(session): f"training.{settings.OPERATOR_API_GROUP}/component.group": "variables", f"training.{settings.OPERATOR_API_GROUP}/workshop.name": session.environment.workshop.name, f"training.{settings.OPERATOR_API_GROUP}/portal.name": settings.PORTAL_NAME, + f"training.{settings.OPERATOR_API_GROUP}/portal.uid": settings.PORTAL_UID, f"training.{settings.OPERATOR_API_GROUP}/environment.name": session.environment.name, f"training.{settings.OPERATOR_API_GROUP}/session.name": session.name, }, @@ -109,7 +110,9 @@ def create_request_resources(session): f"training.{settings.OPERATOR_API_GROUP}/component": "request", f"training.{settings.OPERATOR_API_GROUP}/workshop.name": session.environment.workshop.name, f"training.{settings.OPERATOR_API_GROUP}/portal.name": settings.PORTAL_NAME, + f"training.{settings.OPERATOR_API_GROUP}/portal.uid": settings.PORTAL_UID, f"training.{settings.OPERATOR_API_GROUP}/environment.name": session.environment.name, + f"training.{settings.OPERATOR_API_GROUP}/environment.uid": session.environment.uid, f"training.{settings.OPERATOR_API_GROUP}/session.name": session.name, }, "ownerReferences": [ @@ -125,7 +128,7 @@ def create_request_resources(session): }, "spec": { "environment": {"name": session.environment.name}, - "session": {"name": session.name}, + "session": {"name": session.name, "user": session.owner.username}, }, } @@ -137,7 +140,7 @@ def create_request_resources(session): ) -def update_session_status(name, phase): +def update_session_status(name, phase, user=None): """Update the status of the Kubernetes resource object for the workshop session. @@ -154,12 +157,26 @@ def update_session_status(name, phase): # In this case fill it in and operator will preserve the value when # sees associated with a training portal. - resource.obj.setdefault("status", {}).setdefault( + status = resource.obj.setdefault("status", {}).setdefault( settings.OPERATOR_STATUS_KEY, {} - )["phase"] = phase + ) + + status["phase"] = phase + + if user: + status["user"] = str(user.username) + resource.update() - logger.info("Updated status of workshop session %s to %s.", name, phase) + if user: + logger.info( + "Updated status of workshop session %s to %s for user %s.", + name, + phase, + user.username, + ) + else: + logger.info("Updated status of workshop session %s to %s.", name, phase) except pykube.exceptions.ObjectDoesNotExist: pass @@ -219,7 +236,9 @@ def create_workshop_session(session, secret): "name": session.name, "labels": { f"training.{settings.OPERATOR_API_GROUP}/portal.name": settings.PORTAL_NAME, + f"training.{settings.OPERATOR_API_GROUP}/portal.uid": settings.PORTAL_UID, f"training.{settings.OPERATOR_API_GROUP}/environment.name": session.environment.name, + f"training.{settings.OPERATOR_API_GROUP}/environment.uid": session.environment.uid, }, "ownerReferences": [ { @@ -300,7 +319,7 @@ def create_workshop_session(session, secret): report_analytics_event(session, "Session/Created") if session.owner: - update_session_status(session.name, "Allocated") + update_session_status(session.name, "Allocated", session.owner) report_analytics_event(session, "Session/Started") if session.token: session.mark_as_waiting() @@ -312,6 +331,7 @@ def _schedule_resource_creation(): transaction.on_commit(_schedule_resource_creation) else: + update_session_status(session.name, "Available") session.mark_as_waiting() @@ -676,11 +696,11 @@ def allocate_session_for_user(environment, user, token, timeout=None, params={}) session.params = resolve_request_params(session.environment.workshop, params) if token: - update_session_status(session.name, "Allocating") + update_session_status(session.name, "Allocating", user) report_analytics_event(session, "Session/Pending") session.mark_as_pending(user, token, timeout) else: - update_session_status(session.name, "Allocated") + update_session_status(session.name, "Allocated", user) report_analytics_event(session, "Session/Started") session.mark_as_running(user) @@ -723,9 +743,9 @@ def create_session_for_user(environment, user, token, timeout=None, params={}): session.params = resolve_request_params(session.environment.workshop, params) if token: - update_session_status(session.name, "Allocating") + update_session_status(session.name, "Allocating", user) else: - update_session_status(session.name, "Allocated") + update_session_status(session.name, "Allocated", user) session.mark_as_pending(user, token, timeout) @@ -752,9 +772,9 @@ def create_session_for_user(environment, user, token, timeout=None, params={}): session.params = resolve_request_params(session.environment.workshop, params) if token: - update_session_status(session.name, "Allocating") + update_session_status(session.name, "Allocating", user) else: - update_session_status(session.name, "Allocated") + update_session_status(session.name, "Allocated", user) session.mark_as_pending(user, token, timeout) @@ -788,9 +808,9 @@ def create_session_for_user(environment, user, token, timeout=None, params={}): session.params = resolve_request_params(session.environment.workshop, params) if token: - update_session_status(session.name, "Allocating") + update_session_status(session.name, "Allocating", user) else: - update_session_status(session.name, "Allocated") + update_session_status(session.name, "Allocated", user) session.mark_as_pending(user, token, timeout) @@ -802,12 +822,16 @@ def create_session_for_user(environment, user, token, timeout=None, params={}): return session -def retrieve_session_for_user(environment, user, token=None, timeout=None, params={}): +def retrieve_session_for_user( + environment, user, session_name=None, token=None, timeout=None, params={} +): """Determine if there is already an allocated session for this workshop environment which the user is an owner of. If there is return it. Note that if we have a token because this is being requested via the REST API, it will not overwrite any existing token as we want to reuse the existing - one and not generate a new one. + one and not generate a new one. if we can't find an existing session, we + will create a new one if there is available capacity. If there is no + available capacity, no session will be returned. """ @@ -821,8 +845,23 @@ def retrieve_session_for_user(environment, user, token=None, timeout=None, param if session and not session.is_stopping(): if token and session.is_pending(): session.mark_as_pending(user, token, timeout) + + # If a session name was provided then any existing session found for the + # user must have that name. This is so that it is possible to reacquire + # a session that was previously created via the REST API and not create + # a new one if it couldn't be found. + + if session_name and session.name != session_name: + return + return session + # A session name was provided but we didn't find an existing session so + # we do not create a new one. + + if session_name: + return + # Determine if the user is permitted to create a workshop session. portal = environment.portal diff --git a/training-portal/src/project/apps/workshops/static/workshops/scripts/session.js b/training-portal/src/project/apps/workshops/static/workshops/scripts/session.js index 0effbf733..6231f3014 100644 --- a/training-portal/src/project/apps/workshops/static/workshops/scripts/session.js +++ b/training-portal/src/project/apps/workshops/static/workshops/scripts/session.js @@ -1,6 +1,6 @@ -function check_readiness(session_url, restart_url, startup_timeout) { +function setup_readiness_check(session_url, restart_url, startup_timeout) { start_time_ms = Date.now(); startup_progress_panel = document.getElementById("startup-progress-panel"); @@ -10,24 +10,48 @@ function check_readiness(session_url, restart_url, startup_timeout) { startup_progress_panel.style.visibility = "visible"; } + // We only want to flag page as hidden if it wasn't visible at all during + // the polling internal. This is to avoid flagging the page as hidden when + // the user is actively checking the page. + + let was_visible = true + + document.addEventListener("visibilitychange", () => { + was_visible = was_visible || !document.hidden + }); + function poll_session() { + let flag_as_hidden = !was_visible + + was_visible = !document.hidden + $.ajax({ type: 'GET', url: session_url + "/session/poll", + data: { + hidden: flag_as_hidden + }, cache: false, success: function (data, textStatus, xhr) { - setTimeout(function () { poll_session(session_url); }, 15000); + setTimeout(function () { poll_session(); }, 15000); }, error: function () { - setTimeout(function () { poll_session(session_url); }, 15000); + setTimeout(function () { poll_session(); }, 15000); } }); } function check_readiness() { + let flag_as_hidden = !was_visible + + was_visible = !document.hidden + $.ajax({ type: 'GET', url: session_url + "/session/poll", + data: { + hidden: flag_as_hidden + }, cache: false, success: function (data, textStatus, xhr) { if (xhr.status == 200) { diff --git a/training-portal/src/project/apps/workshops/templates/workshops/catalog.html b/training-portal/src/project/apps/workshops/templates/workshops/catalog.html index ccdff3fb8..4e1273129 100644 --- a/training-portal/src/project/apps/workshops/templates/workshops/catalog.html +++ b/training-portal/src/project/apps/workshops/templates/workshops/catalog.html @@ -4,7 +4,6 @@ {% block head_styles %} - {% endblock %} {% block content %} @@ -80,5 +79,4 @@
{% block body_scripts %} - {% endblock %} diff --git a/training-portal/src/project/apps/workshops/templates/workshops/session.html b/training-portal/src/project/apps/workshops/templates/workshops/session.html index 81d861a8f..1638f7076 100644 --- a/training-portal/src/project/apps/workshops/templates/workshops/session.html +++ b/training-portal/src/project/apps/workshops/templates/workshops/session.html @@ -94,7 +94,7 @@
Waiting for deployment...
diff --git a/training-portal/src/project/apps/workshops/views/environment.py b/training-portal/src/project/apps/workshops/views/environment.py index 5ccefded4..ab2108a9b 100644 --- a/training-portal/src/project/apps/workshops/views/environment.py +++ b/training-portal/src/project/apps/workshops/views/environment.py @@ -2,7 +2,12 @@ """ -__all__ = ["environment", "environment_create", "environment_status", "environment_request"] +__all__ = [ + "environment", + "environment_create", + "environment_status", + "environment_request", +] import copy import uuid @@ -31,6 +36,8 @@ from ..manager.sessions import retrieve_session_for_user from ..manager.locking import resources_lock from ..models import TrainingPortal, Environment, EnvironmentState, SessionState +from .helpers import update_query_params + @login_required @require_http_methods(["GET"]) @@ -50,12 +57,22 @@ def environment(request, name): instance = Environment.objects.get(name=name) except Environment.DoesNotExist: if index_url: - return redirect(index_url + "?notification=workshop-invalid") + return redirect( + update_query_params(index_url, {"notification": "workshop-invalid"}) + ) if not request.user.is_staff and settings.PORTAL_INDEX: - return redirect(settings.PORTAL_INDEX + "?notification=workshop-invalid") + return redirect( + update_query_params( + settings.PORTAL_INDEX, {"notification": "workshop-invalid"} + ) + ) - return redirect(reverse("workshops_catalog") + "?notification=workshop-invalid") + return redirect( + update_query_params( + reverse("workshops_catalog"), {"notification": "workshop-invalid"} + ) + ) # Retrieve a session for the user for this workshop environment. @@ -65,12 +82,22 @@ def environment(request, name): return redirect("workshops_session", name=session.name) if index_url: - return redirect(index_url + "?notification=session-unavailable") + return redirect( + update_query_params(index_url, {"notification": "session-unavailable"}) + ) if not request.user.is_staff and settings.PORTAL_INDEX: - return redirect(settings.PORTAL_INDEX + "?notification=session-unavailable") + return redirect( + update_query_params( + settings.PORTAL_INDEX, {"notification": "session-unavailable"} + ) + ) - return redirect(reverse("workshops_catalog") + "?notification=session-unavailable") + return redirect( + update_query_params( + reverse("workshops_catalog"), {"notification": "session-unavailable"} + ) + ) @require_http_methods(["GET"]) @@ -298,6 +325,8 @@ def environment_request(request, name): if last_name: user_details["last_name"] = last_name + session_name = request.GET.get("session") + # The timeout here in seconds is how long the workshop session will be # retained while waiting for it to be activated as a result of the URL # returned by the REST API call being visited by a user. This technically @@ -348,7 +377,7 @@ def environment_request(request, name): else: return HttpResponseBadRequest("Malformed JSON request payload") - + params = request_params # Check whether a user already has an existing session allocated @@ -373,18 +402,27 @@ def environment_request(request, name): characters = string.ascii_letters + string.digits token = "".join(random.sample(characters, 32)) - session = retrieve_session_for_user(instance, user, token, timeout, params) + session = retrieve_session_for_user( + instance, user, session_name, token, timeout, params + ) if not session: return JsonResponse({"error": "No session available"}, status=503) - details = {} + # If there is a session but it doesn't have a token associated with it then + # it wasn't created via the REST API and so cannot be reacquired using the + # REST API. - details["name"] = session.name + if session and not session.token: + return JsonResponse({"error": "Cannot be reacquired"}, status=503) # The "session" property was replaced by "name" and "session" deprecated. # Include "session" for now, but it will be removed in future update. + details = {} + + details["name"] = session.name + details["session"] = session.name details["user"] = user.get_username() diff --git a/training-portal/src/project/apps/workshops/views/helpers.py b/training-portal/src/project/apps/workshops/views/helpers.py new file mode 100644 index 000000000..977e17ba7 --- /dev/null +++ b/training-portal/src/project/apps/workshops/views/helpers.py @@ -0,0 +1,46 @@ +"""Helper functions for dealing with URLs.""" + +from urllib.parse import urlparse, parse_qs, urlencode, urlunparse, urljoin + + +def update_query_params(url, params): + """Update the query parameters of a URL with the given parameters. If the URL + is malformed or cannot be parsed, the original URL is returned.""" + + try: + # Parse the URL. + + parsed_url = urlparse(url) + + # Handle URLs with no scheme or netloc (e.g., paths like '/page'). + + if not parsed_url.scheme and not parsed_url.netloc: + # Treat it as a relative path URL. + + base_url = "http://dummy" # Temporary base for relative path handling + parsed_url = urlparse(urljoin(base_url, url)) + + # Parse existing query parameters. + + query_params = parse_qs(parsed_url.query) + + # Update or add the new parameters. + + query_params.update({key: [value] for key, value in params.items()}) + + # Reconstruct the URL with the updated query string. + + updated_query = urlencode(query_params, doseq=True) + updated_url = urlunparse(parsed_url._replace(query=updated_query)) + + # If the URL was originally a path, strip out the dummy scheme and netloc. + + if parsed_url.scheme == "http" and parsed_url.netloc == "dummy": + return updated_url.replace("http://dummy", "") + + return updated_url + + except Exception: # pylint: disable=broad-except + # In case of any parsing errors, return the original URL. + + return url diff --git a/training-portal/src/project/apps/workshops/views/session.py b/training-portal/src/project/apps/workshops/views/session.py index 922955bc5..4ee93eaa4 100644 --- a/training-portal/src/project/apps/workshops/views/session.py +++ b/training-portal/src/project/apps/workshops/views/session.py @@ -42,6 +42,7 @@ from ..manager.sessions import update_session_status, create_request_resources from ..manager.analytics import report_analytics_event from ..models import TrainingPortal, SessionState +from .helpers import update_query_params @login_required(login_url="/") @@ -67,25 +68,35 @@ def session(request, name): if not instance: if index_url: - return redirect(index_url + "?notification=session-invalid") + return redirect( + update_query_params(index_url, {"notification": "session-invalid"}) + ) if not request.user.is_staff and settings.PORTAL_INDEX: - return redirect(settings.PORTAL_INDEX + "?notification=session-invalid") - - return redirect(reverse("workshops_catalog") + "?notification=session-invalid") + return redirect( + update_query_params( + settings.PORTAL_INDEX, {"notification": "session-invalid"} + ) + ) + + return redirect( + update_query_params( + reverse("workshops_catalog"), {"notification": "session-invalid"} + ) + ) context["session"] = instance context["session_owner"] = instance.owner and instance.owner.get_username() or "" - context[ - "session_url" - ] = f"{settings.INGRESS_PROTOCOL}://{instance.name}.{settings.INGRESS_DOMAIN}" + context["session_url"] = ( + f"{settings.INGRESS_PROTOCOL}://{instance.name}.{settings.INGRESS_DOMAIN}" + ) portal_url = f"{settings.INGRESS_PROTOCOL}://{settings.PORTAL_HOSTNAME}" - context[ - "restart_url" - ] = f"{portal_url}/workshops/session/{instance.name}/delete/?notification=startup-timeout" + context["restart_url"] = ( + f"{portal_url}/workshops/session/{instance.name}/delete/?notification=startup-timeout" + ) context["startup_timeout"] = instance.environment.overdue.total_seconds() try: @@ -140,7 +151,7 @@ def session_activate(request, name): return HttpResponseServerError("Owner for session is not active") if not instance.is_running(): - update_session_status(instance.name, "Allocated") + update_session_status(instance.name, "Allocated", instance.owner) report_analytics_event(instance, "Session/Started") instance.mark_as_running() @@ -217,12 +228,22 @@ def session_delete(request, name): if not instance: if index_url: - return redirect(index_url + "?notification=session-invalid") + return redirect( + update_query_params(index_url, {"notification": "session-invalid"}) + ) if not request.user.is_staff and settings.PORTAL_INDEX: - return redirect(settings.PORTAL_INDEX + "?notification=session-invalid") - - return redirect(reverse("workshops_catalog") + "?notification=session-invalid") + return redirect( + update_query_params( + settings.PORTAL_INDEX, {"notification": "session-invalid"} + ) + ) + + return redirect( + update_query_params( + reverse("workshops_catalog"), {"notification": "session-invalid"} + ) + ) # Mark the instance as stopping now so that it will not be picked up # by the user again if they attempt to create a new session immediately. @@ -239,12 +260,18 @@ def session_delete(request, name): notification = "session-deleted" if index_url: - return redirect(index_url + f"?notification={notification}") + return redirect(update_query_params(index_url, {"notification": notification})) if not request.user.is_staff and settings.PORTAL_INDEX: - return redirect(settings.PORTAL_INDEX + f"?notification={notification}") - - return redirect(reverse("workshops_catalog") + f"?notification={notification}") + return redirect( + update_query_params(settings.PORTAL_INDEX, {"notification": notification}) + ) + + return redirect( + update_query_params( + reverse("workshops_catalog"), {"notification": notification} + ) + ) @protected_resource() diff --git a/training-portal/src/project/static/styles/project.css b/training-portal/src/project/static/styles/project.css index 3d641abed..4c5dc337f 100644 --- a/training-portal/src/project/static/styles/project.css +++ b/training-portal/src/project/static/styles/project.css @@ -21,3 +21,13 @@ padding-top: 15px; padding-bottom: 15px; } + +.register { + padding-top: 15px; + padding-bottom: 15px; +} + +.registration-closed { + padding-top: 15px; + padding-bottom: 15px; +} diff --git a/training-portal/src/project/templates/project-base.html b/training-portal/src/project/templates/project-base.html index d2a68bf2c..23b3ed275 100644 --- a/training-portal/src/project/templates/project-base.html +++ b/training-portal/src/project/templates/project-base.html @@ -13,6 +13,7 @@ {{ portal_title | escape }} {% block head_styles %} {% endblock %} + {% if google_tracking_id %} diff --git a/tunnel-manager/requirements.txt b/tunnel-manager/requirements.txt index b5ede0589..6edcf29c9 100644 --- a/tunnel-manager/requirements.txt +++ b/tunnel-manager/requirements.txt @@ -1,5 +1,5 @@ kopf[full-auth]==1.36.1 -aiohttp==3.9.4 +aiohttp==3.10.2 PyYAML==6.0.1 pykube-ng==22.9.0 websockets==10.4 diff --git a/vendir.lock.yml b/vendir.lock.yml index 2113dfe4e..4831066a7 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -1,43 +1,63 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: +- contents: + - githubRelease: + tag: v1.11.5 + url: https://api.github.com/repos/kyverno/kyverno/releases/154920993 + path: . + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kyverno/upstream - contents: - git: - commitTitle: 'chore(release): 4.2.0...' - sha: 5e58e73fda5da5fa4871e4aad3281b9af1777927 - tags: - - v4.2.0 + commitTitle: 'chore: add script to update artifacthub digest (#769)...' + sha: fdc508b26a696ceb2cd3ae481d1f2c660dda59d0 + path: . + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream +- contents: + - git: + commitTitle: 'chore: add script to update artifacthub digest (#769)...' + sha: fdc508b26a696ceb2cd3ae481d1f2c660dda59d0 path: . - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream +- contents: + - git: + commitTitle: 'chore: add script to update artifacthub digest (#769)...' + sha: fdc508b26a696ceb2cd3ae481d1f2c660dda59d0 + path: . + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream - contents: - githubRelease: - tag: v1.9.2 - url: https://api.github.com/repos/kyverno/kyverno/releases/96431508 + tag: v1.14.7 + url: https://api.github.com/repos/cert-manager/cert-manager/releases/161627002 path: . - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/upstream - contents: - git: - commitTitle: Upgrade CSI driver to 2.6.3 and CVE Fix (#5655)... - sha: fe3d3e73fac75543d83808ff3e970934b0e11c43 + commitTitle: Update Contour Docker image to v1.28.5.... + sha: 1f4fe0502fe35c3726bee77f4f9ea06ac4c2f34d tags: - - v0.13.0-dev.2-556-gfe3d3e73 + - v1.28.5 path: . - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream - contents: - git: - commitTitle: 'Merge pull request #475 from ingmarfjolla/istio-vs-policy-add...' - sha: 497d3c5291260369ba3e89d66a283540371aae78 + commitTitle: Update Contour Docker image to v1.28.5.... + sha: 1f4fe0502fe35c3726bee77f4f9ea06ac4c2f34d + tags: + - v1.28.5 path: . - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream + path: session-manager/packages/contour/upstream - contents: - git: - commitTitle: 'Merge pull request #475 from ingmarfjolla/istio-vs-policy-add...' - sha: 497d3c5291260369ba3e89d66a283540371aae78 + commitTitle: 'Merge pull request #4476 from mloiseleur/fix/deps-upgrade...' + sha: e490412e6c44459524147febd140f4584d266fc5 + tags: + - v0.14.2 path: . - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream - contents: - - git: - commitTitle: 'Merge pull request #317 from smcaine/update-check-deprecated-apis...' - sha: 6abd32f8a03c0f98d8d5e90791e53e00d05a4e3e + - githubRelease: + tag: v0.52.0 + url: https://api.github.com/repos/carvel-dev/kapp-controller/releases/155438864 path: . - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream + path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream kind: LockConfig diff --git a/vendir.yml b/vendir.yml index ece71727f..08976d1fa 100644 --- a/vendir.yml +++ b/vendir.yml @@ -4,90 +4,113 @@ kind: Config minimumRequiredVersion: 0.26.0 directories: - - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/metacontroller/_ytt_lib/upstream + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kyverno/upstream contents: - - path: "." - git: - url: https://github.com/metacontroller/metacontroller - ref: refs/tags/v4.2.0 - - includePaths: - - "manifests/production/**" - - excludePaths: - - "**/manifests/production/kustomization.yaml" - - newRootPath: manifests/production - - - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream + - path: "." + githubRelease: + slug: kyverno/kyverno + tag: v1.11.5 + assetNames: + - install.yaml + disableAutoChecksumValidation: true + includePaths: + - install.yaml + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-restricted/upstream contents: - - path: "." - githubRelease: - slug: kyverno/kyverno - tag: v1.9.2 - assetNames: - - install.yaml - disableAutoChecksumValidation: true - - includePaths: - - install.yaml - - - path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream + - path: "." + git: + url: https://github.com/kyverno/policies + ref: origin/release-1.11 + includePaths: + - "pod-security/restricted/**" + excludePaths: + - "**/kustomization.yaml" + - "**/kyverno-test.yaml" + - "**/0*.yaml" + - "**/9*.yaml" + - "**/pod*.yaml" + - "**/resource.yaml" + - "**/artifacthub-pkg.yml" + - "**/.chainsaw-test" + - "**/.kyverno-test" + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-baseline/upstream contents: - - path: "." - git: - url: https://github.com/vmware-tanzu/community-edition - ref: origin/main - - newRootPath: addons/packages/contour/1.22.3/bundle/config - - - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream + - path: "." + git: + url: https://github.com/kyverno/policies + ref: origin/release-1.11 + includePaths: + - "pod-security/baseline/**" + excludePaths: + - "**/kustomization.yaml" + - "**/kyverno-test.yaml" + - "**/0*.yaml" + - "**/9*.yaml" + - "**/pod*.yaml" + - "**/resource.yaml" + - "**/artifacthub-pkg.yml" + - "**/.chainsaw-test" + - "**/.kyverno-test" + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/kyverno-policies/upstream contents: - - path: "." - git: - url: https://github.com/kyverno/policies - ref: origin/release-1.9 - - includePaths: - - "pod-security/restricted/**" - - excludePaths: - - "**/kustomization.yaml" - - "**/kyverno-test.yaml" - - "**/resource.yaml" - - - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream + - path: "." + git: + url: https://github.com/kyverno/policies + ref: origin/release-1.11 + includePaths: + - "best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml" + - "best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml" + - "best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml" + - "best-practices/restrict-node-port/restrict-node-port.yaml" + - "nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml" + - "nginx-ingress/restrict-annotations/restrict-annotations.yaml" + - "nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml" + - "other/b-d/disallow-localhost-services/disallow-localhost-services.yaml" + - "other/m-q/prevent-cr8escape/prevent-cr8escape.yaml" + #! - "other/res/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml" + - "other/res/restrict-loadbalancer/restrict-loadbalancer.yaml" + #! - "other/s-z/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml" + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/cert-manager/upstream contents: - - path: "." - git: - url: https://github.com/kyverno/policies - ref: origin/release-1.9 - - includePaths: - - "pod-security/baseline/**" - - excludePaths: - - "**/kustomization.yaml" - - "**/kyverno-test.yaml" - - "**/resource.yaml" - - - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-policies/_ytt_lib/upstream + - path: . + githubRelease: + slug: cert-manager/cert-manager + tag: v1.14.7 + disableAutoChecksumValidation: true + includePaths: + - cert-manager.yaml + #! Note that we download Contour twice, once for use in Educates package and + #! once for use by the virtual clusters code in session-manager. Make sure the + #! version is updated on both and operation of both use cases checked. + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/contour/upstream contents: - - path: "." - git: - url: https://github.com/kyverno/policies - ref: origin/release-1.7 - - includePaths: - - "best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml" - - "best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml" - - "best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml" - - "best-practices/restrict_node_port/restrict_node_port.yaml" - - "nginx-ingress/nginx-custom-snippets/disallow-custom-snippets.yaml" - - "nginx-ingress/nginx_annotation_checks/restrict-annotations.yaml" - - "nginx-ingress/nginx_path_checks/restrict-path.yaml" - - "other/disallow_localhost_services/disallow_localhost_services.yaml" - - "other/prevent-cr8escape/prevent-cr8escape.yaml" - - "other/restrict_ingress_defaultbackend/restrict_ingress_defaultbackend.yaml" - - "other/restrict_loadbalancer/restrict_loadbalancer.yaml" - - "other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml" + - path: . + git: + url: https://github.com/projectcontour/contour + ref: v1.28.5 + newRootPath: examples/contour + - path: session-manager/packages/contour/upstream + contents: + - path: . + git: + url: https://github.com/projectcontour/contour + ref: v1.28.5 + newRootPath: examples/contour + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/external-dns/upstream + contents: + - path: . + git: + url: https://github.com/kubernetes-sigs/external-dns + ref: v0.14.2 + includePaths: + - kustomize/external-dns-* + newRootPath: kustomize + - path: carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/kapp-controller/upstream + contents: + - path: . + githubRelease: + slug: carvel-dev/kapp-controller + tag: v0.52.0 + disableAutoChecksumValidation: true + includePaths: + - release.yml diff --git a/workshop-images/base-environment/opt/eduk8s/etc/templates/workshop-variables.yaml b/workshop-images/base-environment/opt/eduk8s/etc/templates/workshop-variables.yaml index cb0904600..0ba9c0df8 100644 --- a/workshop-images/base-environment/opt/eduk8s/etc/templates/workshop-variables.yaml +++ b/workshop-images/base-environment/opt/eduk8s/etc/templates/workshop-variables.yaml @@ -135,6 +135,7 @@ #@ add_param_from_environ("registry_host") #@ add_param_from_environ("registry_username") #@ add_param_from_environ("registry_password") +#@ add_param_from_environ("registry_auth_token") #@ add_param_from_environ("registry_secret") #@ add_param_from_environ("registry_auth_file") @@ -142,6 +143,7 @@ #@ add_param_from_environ("git_host") #@ add_param_from_environ("git_username") #@ add_param_from_environ("git_password") +#@ add_param_from_environ("git_auth_token") #@ add_param_from_environ("restart_url") diff --git a/workshop-images/base-environment/opt/gateway/package-lock.json b/workshop-images/base-environment/opt/gateway/package-lock.json index ecd625895..6029b82ff 100644 --- a/workshop-images/base-environment/opt/gateway/package-lock.json +++ b/workshop-images/base-environment/opt/gateway/package-lock.json @@ -11,8 +11,10 @@ "dependencies": { "@amplitude/analytics-browser": "^2.3.5", "@fortawesome/fontawesome-free": "^6.5.1", + "@xterm/addon-fit": "^0.10.0", + "@xterm/addon-web-links": "^0.11.0", "@xterm/xterm": "^5.5.0", - "axios": "^1.6.2", + "axios": "^1.7.4", "axios-retry": "^3.9.1", "bootstrap": "^5.3.2", "bufferutil": "^4.0.8", @@ -39,14 +41,14 @@ "popper.js": "^1.16.1", "pug": "^3.0.3", "qrcode": "^1.5.1", - "requirejs": "^2.3.6", + "requirejs": "^2.3.7", "semver": "^7.5.4", "simple-oauth2": "^5.0.0", "split.js": "^1.6.5", "utf-8-validate": "^6.0.3", "uuid": "^9.0.1", "winston": "^3.11.0", - "ws": "^8.14.2" + "ws": "^8.17.1" }, "devDependencies": { "@types/bootstrap": "^5.2.9", @@ -575,6 +577,22 @@ "@types/node": "*" } }, + "node_modules/@xterm/addon-fit": { + "version": "0.10.0", + "resolved": "https://registry.npmjs.org/@xterm/addon-fit/-/addon-fit-0.10.0.tgz", + "integrity": "sha512-UFYkDm4HUahf2lnEyHvio51TNGiLK66mqP2JoATy7hRZeXaGMRDr00JiSF7m63vR5WKATF605yEggJKsw0JpMQ==", + "peerDependencies": { + "@xterm/xterm": "^5.0.0" + } + }, + "node_modules/@xterm/addon-web-links": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@xterm/addon-web-links/-/addon-web-links-0.11.0.tgz", + "integrity": "sha512-nIHQ38pQI+a5kXnRaTgwqSHnX7KE6+4SVoceompgHL26unAxdfP6IPqUTSYPQgSwM56hsElfoNrrW5V7BUED/Q==", + "peerDependencies": { + "@xterm/xterm": "^5.0.0" + } + }, "node_modules/@xterm/xterm": { "version": "5.5.0", "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz", @@ -677,15 +695,14 @@ "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==" }, "node_modules/asn1.js": { - "version": "5.4.1", - "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz", - "integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==", + "version": "4.10.1", + "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz", + "integrity": "sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==", "dev": true, "dependencies": { "bn.js": "^4.0.0", "inherits": "^2.0.1", - "minimalistic-assert": "^1.0.0", - "safer-buffer": "^2.1.0" + "minimalistic-assert": "^1.0.0" } }, "node_modules/asn1.js/node_modules/bn.js": { @@ -747,11 +764,11 @@ } }, "node_modules/axios": { - "version": "1.6.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz", - "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==", + "version": "1.7.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz", + "integrity": "sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==", "dependencies": { - "follow-redirects": "^1.15.0", + "follow-redirects": "^1.15.6", "form-data": "^4.0.0", "proxy-from-env": "^1.1.0" } @@ -873,11 +890,11 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -1025,37 +1042,37 @@ } }, "node_modules/browserify-sign": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.2.tgz", - "integrity": "sha512-1rudGyeYY42Dk6texmv7c4VcQ0EsvVbLwZkA+AQB7SxvXxmcD93jcHie8bzecJ+ChDlmAm2Qyu0+Ccg5uhZXCg==", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.3.tgz", + "integrity": "sha512-JWCZW6SKhfhjJxO8Tyiiy+XYB7cqd2S5/+WeYHsKdNKFlCBhKbblba1A/HN/90YwtxKc8tCErjffZl++UNmGiw==", "dev": true, "dependencies": { "bn.js": "^5.2.1", "browserify-rsa": "^4.1.0", "create-hash": "^1.2.0", "create-hmac": "^1.1.7", - "elliptic": "^6.5.4", + "elliptic": "^6.5.5", + "hash-base": "~3.0", "inherits": "^2.0.4", - "parse-asn1": "^5.1.6", - "readable-stream": "^3.6.2", + "parse-asn1": "^5.1.7", + "readable-stream": "^2.3.8", "safe-buffer": "^5.2.1" }, "engines": { - "node": ">= 4" + "node": ">= 0.12" } }, - "node_modules/browserify-sign/node_modules/readable-stream": { - "version": "3.6.2", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", - "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "node_modules/browserify-sign/node_modules/hash-base": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz", + "integrity": "sha512-EeeoJKjTyt868liAlVmcv2ZsUfGHlE3Q+BICOXcZiwN3osr5Q/zFGYmTJpoIzuaSTAwndFy+GqhEwlU4L3j4Ow==", "dev": true, "dependencies": { - "inherits": "^2.0.3", - "string_decoder": "^1.1.1", - "util-deprecate": "^1.0.1" + "inherits": "^2.0.1", + "safe-buffer": "^5.0.1" }, "engines": { - "node": ">= 6" + "node": ">=4" } }, "node_modules/browserify-zlib": { @@ -1645,9 +1662,9 @@ "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, "node_modules/elliptic": { - "version": "6.5.4", - "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz", - "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==", + "version": "6.5.6", + "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.6.tgz", + "integrity": "sha512-mpzdtpeCLuS3BmE3pO3Cpp5bbjlOPY2Q0PgoF+Od1XZrHLYI28Xe3ossCmYCQt11FQKEYd9+PF8jymTvtWJSHQ==", "dev": true, "dependencies": { "bn.js": "^4.11.9", @@ -1842,9 +1859,9 @@ "integrity": "sha512-OP2IUU6HeYKJi3i0z4A19kHMQoLVs4Hc+DPqqxI2h/DPZHTm/vjsfC6P0b4jCMy14XizLBqvndQ+UilD7707Jw==" }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dependencies": { "to-regex-range": "^5.0.1" }, @@ -3037,16 +3054,33 @@ } }, "node_modules/parse-asn1": { - "version": "5.1.6", - "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.6.tgz", - "integrity": "sha512-RnZRo1EPU6JBnra2vGHj0yhp6ebyjBZpmUCLHWiFhxlzvBCCpAuZ7elsBp1PVAbQN0/04VD/19rfzlBSwLstMw==", + "version": "5.1.7", + "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.7.tgz", + "integrity": "sha512-CTM5kuWR3sx9IFamcl5ErfPl6ea/N8IYwiJ+vpeB2g+1iknv7zBl5uPwbMbRVznRVbrNY6lGuDoE5b30grmbqg==", "dev": true, "dependencies": { - "asn1.js": "^5.2.0", - "browserify-aes": "^1.0.0", - "evp_bytestokey": "^1.0.0", - "pbkdf2": "^3.0.3", - "safe-buffer": "^5.1.1" + "asn1.js": "^4.10.1", + "browserify-aes": "^1.2.0", + "evp_bytestokey": "^1.0.3", + "hash-base": "~3.0", + "pbkdf2": "^3.1.2", + "safe-buffer": "^5.2.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/parse-asn1/node_modules/hash-base": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz", + "integrity": "sha512-EeeoJKjTyt868liAlVmcv2ZsUfGHlE3Q+BICOXcZiwN3osr5Q/zFGYmTJpoIzuaSTAwndFy+GqhEwlU4L3j4Ow==", + "dev": true, + "dependencies": { + "inherits": "^2.0.1", + "safe-buffer": "^5.0.1" + }, + "engines": { + "node": ">=4" } }, "node_modules/parseurl": { @@ -3530,9 +3564,9 @@ "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==" }, "node_modules/requirejs": { - "version": "2.3.6", - "resolved": "https://registry.npmjs.org/requirejs/-/requirejs-2.3.6.tgz", - "integrity": "sha512-ipEzlWQe6RK3jkzikgCupiTbTvm4S0/CAU5GlgptkN5SO6F3u0UD0K18wy6ErDqiCyP4J4YYe1HuAShvsxePLg==", + "version": "2.3.7", + "resolved": "https://registry.npmjs.org/requirejs/-/requirejs-2.3.7.tgz", + "integrity": "sha512-DouTG8T1WanGok6Qjg2SXuCMzszOo0eHeH9hDZ5Y4x8Je+9JB38HdTLT4/VA8OaUhBa0JPVHJ0pyBkM1z+pDsw==", "bin": { "r_js": "bin/r.js", "r.js": "bin/r.js" @@ -4432,9 +4466,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.14.2", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.14.2.tgz", - "integrity": "sha512-wEBG1ftX4jcglPxgFCMJmZ2PLtSbJ2Peg6TmpJFTbe9GZYOQCDPdMYu/Tm0/bGZkw8paZnJY45J4K2PZrLYq8g==", + "version": "8.17.1", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", + "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", "engines": { "node": ">=10.0.0" }, @@ -4955,6 +4989,18 @@ "@types/node": "*" } }, + "@xterm/addon-fit": { + "version": "0.10.0", + "resolved": "https://registry.npmjs.org/@xterm/addon-fit/-/addon-fit-0.10.0.tgz", + "integrity": "sha512-UFYkDm4HUahf2lnEyHvio51TNGiLK66mqP2JoATy7hRZeXaGMRDr00JiSF7m63vR5WKATF605yEggJKsw0JpMQ==", + "requires": {} + }, + "@xterm/addon-web-links": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@xterm/addon-web-links/-/addon-web-links-0.11.0.tgz", + "integrity": "sha512-nIHQ38pQI+a5kXnRaTgwqSHnX7KE6+4SVoceompgHL26unAxdfP6IPqUTSYPQgSwM56hsElfoNrrW5V7BUED/Q==", + "requires": {} + }, "@xterm/xterm": { "version": "5.5.0", "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz", @@ -5035,15 +5081,14 @@ "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==" }, "asn1.js": { - "version": "5.4.1", - "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz", - "integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==", + "version": "4.10.1", + "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz", + "integrity": "sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==", "dev": true, "requires": { "bn.js": "^4.0.0", "inherits": "^2.0.1", - "minimalistic-assert": "^1.0.0", - "safer-buffer": "^2.1.0" + "minimalistic-assert": "^1.0.0" }, "dependencies": { "bn.js": { @@ -5103,11 +5148,11 @@ "dev": true }, "axios": { - "version": "1.6.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz", - "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==", + "version": "1.7.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz", + "integrity": "sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==", "requires": { - "follow-redirects": "^1.15.0", + "follow-redirects": "^1.15.6", "form-data": "^4.0.0", "proxy-from-env": "^1.1.0" } @@ -5195,11 +5240,11 @@ } }, "braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "requires": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" } }, "brorand": { @@ -5370,31 +5415,31 @@ } }, "browserify-sign": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.2.tgz", - "integrity": "sha512-1rudGyeYY42Dk6texmv7c4VcQ0EsvVbLwZkA+AQB7SxvXxmcD93jcHie8bzecJ+ChDlmAm2Qyu0+Ccg5uhZXCg==", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.3.tgz", + "integrity": "sha512-JWCZW6SKhfhjJxO8Tyiiy+XYB7cqd2S5/+WeYHsKdNKFlCBhKbblba1A/HN/90YwtxKc8tCErjffZl++UNmGiw==", "dev": true, "requires": { "bn.js": "^5.2.1", "browserify-rsa": "^4.1.0", "create-hash": "^1.2.0", "create-hmac": "^1.1.7", - "elliptic": "^6.5.4", + "elliptic": "^6.5.5", + "hash-base": "~3.0", "inherits": "^2.0.4", - "parse-asn1": "^5.1.6", - "readable-stream": "^3.6.2", + "parse-asn1": "^5.1.7", + "readable-stream": "^2.3.8", "safe-buffer": "^5.2.1" }, "dependencies": { - "readable-stream": { - "version": "3.6.2", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", - "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "hash-base": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz", + "integrity": "sha512-EeeoJKjTyt868liAlVmcv2ZsUfGHlE3Q+BICOXcZiwN3osr5Q/zFGYmTJpoIzuaSTAwndFy+GqhEwlU4L3j4Ow==", "dev": true, "requires": { - "inherits": "^2.0.3", - "string_decoder": "^1.1.1", - "util-deprecate": "^1.0.1" + "inherits": "^2.0.1", + "safe-buffer": "^5.0.1" } } } @@ -5872,9 +5917,9 @@ "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, "elliptic": { - "version": "6.5.4", - "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz", - "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==", + "version": "6.5.6", + "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.6.tgz", + "integrity": "sha512-mpzdtpeCLuS3BmE3pO3Cpp5bbjlOPY2Q0PgoF+Od1XZrHLYI28Xe3ossCmYCQt11FQKEYd9+PF8jymTvtWJSHQ==", "dev": true, "requires": { "bn.js": "^4.11.9", @@ -6043,9 +6088,9 @@ "integrity": "sha512-OP2IUU6HeYKJi3i0z4A19kHMQoLVs4Hc+DPqqxI2h/DPZHTm/vjsfC6P0b4jCMy14XizLBqvndQ+UilD7707Jw==" }, "fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "requires": { "to-regex-range": "^5.0.1" } @@ -6928,16 +6973,29 @@ } }, "parse-asn1": { - "version": "5.1.6", - "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.6.tgz", - "integrity": "sha512-RnZRo1EPU6JBnra2vGHj0yhp6ebyjBZpmUCLHWiFhxlzvBCCpAuZ7elsBp1PVAbQN0/04VD/19rfzlBSwLstMw==", + "version": "5.1.7", + "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.7.tgz", + "integrity": "sha512-CTM5kuWR3sx9IFamcl5ErfPl6ea/N8IYwiJ+vpeB2g+1iknv7zBl5uPwbMbRVznRVbrNY6lGuDoE5b30grmbqg==", "dev": true, "requires": { - "asn1.js": "^5.2.0", - "browserify-aes": "^1.0.0", - "evp_bytestokey": "^1.0.0", - "pbkdf2": "^3.0.3", - "safe-buffer": "^5.1.1" + "asn1.js": "^4.10.1", + "browserify-aes": "^1.2.0", + "evp_bytestokey": "^1.0.3", + "hash-base": "~3.0", + "pbkdf2": "^3.1.2", + "safe-buffer": "^5.2.1" + }, + "dependencies": { + "hash-base": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz", + "integrity": "sha512-EeeoJKjTyt868liAlVmcv2ZsUfGHlE3Q+BICOXcZiwN3osr5Q/zFGYmTJpoIzuaSTAwndFy+GqhEwlU4L3j4Ow==", + "dev": true, + "requires": { + "inherits": "^2.0.1", + "safe-buffer": "^5.0.1" + } + } } }, "parseurl": { @@ -7351,9 +7409,9 @@ "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==" }, "requirejs": { - "version": "2.3.6", - "resolved": "https://registry.npmjs.org/requirejs/-/requirejs-2.3.6.tgz", - "integrity": "sha512-ipEzlWQe6RK3jkzikgCupiTbTvm4S0/CAU5GlgptkN5SO6F3u0UD0K18wy6ErDqiCyP4J4YYe1HuAShvsxePLg==" + "version": "2.3.7", + "resolved": "https://registry.npmjs.org/requirejs/-/requirejs-2.3.7.tgz", + "integrity": "sha512-DouTG8T1WanGok6Qjg2SXuCMzszOo0eHeH9hDZ5Y4x8Je+9JB38HdTLT4/VA8OaUhBa0JPVHJ0pyBkM1z+pDsw==" }, "requires-port": { "version": "1.0.0", @@ -8038,9 +8096,9 @@ "dev": true }, "ws": { - "version": "8.14.2", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.14.2.tgz", - "integrity": "sha512-wEBG1ftX4jcglPxgFCMJmZ2PLtSbJ2Peg6TmpJFTbe9GZYOQCDPdMYu/Tm0/bGZkw8paZnJY45J4K2PZrLYq8g==", + "version": "8.17.1", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", + "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", "requires": {} }, "xtend": { diff --git a/workshop-images/base-environment/opt/gateway/package.json b/workshop-images/base-environment/opt/gateway/package.json index 661a0da33..d97337434 100644 --- a/workshop-images/base-environment/opt/gateway/package.json +++ b/workshop-images/base-environment/opt/gateway/package.json @@ -16,7 +16,7 @@ "dependencies": { "@amplitude/analytics-browser": "^2.3.5", "@fortawesome/fontawesome-free": "^6.5.1", - "axios": "^1.6.2", + "axios": "^1.7.4", "axios-retry": "^3.9.1", "bootstrap": "^5.3.2", "bufferutil": "^4.0.8", @@ -43,14 +43,14 @@ "popper.js": "^1.16.1", "pug": "^3.0.3", "qrcode": "^1.5.1", - "requirejs": "^2.3.6", + "requirejs": "^2.3.7", "semver": "^7.5.4", "simple-oauth2": "^5.0.0", "split.js": "^1.6.5", "utf-8-validate": "^6.0.3", "uuid": "^9.0.1", "winston": "^3.11.0", - "ws": "^8.14.2", + "ws": "^8.17.1", "@xterm/xterm": "^5.5.0", "@xterm/addon-fit": "^0.10.0", "@xterm/addon-web-links": "^0.11.0" diff --git a/workshop-images/base-environment/opt/gateway/src/backend/modules/config.ts b/workshop-images/base-environment/opt/gateway/src/backend/modules/config.ts index 8aeefd3da..5e149b6c6 100644 --- a/workshop-images/base-environment/opt/gateway/src/backend/modules/config.ts +++ b/workshop-images/base-environment/opt/gateway/src/backend/modules/config.ts @@ -66,6 +66,9 @@ const TERMINAL_LAYOUT = process.env.TERMINAL_LAYOUT || "default" const RESTART_URL = process.env.RESTART_URL const FINISHED_MSG = process.env.FINISHED_MSG +const REGISTRY_AUTH_TOKEN = process.env.REGISTRY_AUTH_TOKEN || "" +const GIT_AUTH_TOKEN = process.env.GIT_AUTH_TOKEN || "" + const IMAGE_REPOSITORY = process.env.IMAGE_REPOSITORY || "registry.default.svc.cluster.local" const OCI_IMAGE_CACHE = process.env.OCI_IMAGE_CACHE || "workshop-images" const ASSETS_REPOSITORY = process.env.ASSETS_REPOSITORY || "workshop-assets" @@ -161,6 +164,8 @@ export let config = { finished_msg: FINISHED_MSG, kubernetes_token: kubernetes_token(), + registry_auth_token: REGISTRY_AUTH_TOKEN, + git_auth_token: GIT_AUTH_TOKEN, image_repository: IMAGE_REPOSITORY, oci_image_cache: OCI_IMAGE_CACHE, diff --git a/workshop-images/base-environment/opt/gateway/src/backend/modules/proxy.ts b/workshop-images/base-environment/opt/gateway/src/backend/modules/proxy.ts index 684174a09..c04f5d8bd 100644 --- a/workshop-images/base-environment/opt/gateway/src/backend/modules/proxy.ts +++ b/workshop-images/base-environment/opt/gateway/src/backend/modules/proxy.ts @@ -100,6 +100,8 @@ export function setup_proxy(app: express.Application, auth: string) { let name = header["name"] let value = header["value"] || "" value = value.split("$(kubernetes_token)").join(config.kubernetes_token || "") + value = value.split("$(registry_auth_token)").join(config.registry_auth_token || "") + value = value.split("$(git_auth_token)").join(config.git_auth_token || "") proxyReq.setHeader(name, value) } } @@ -118,6 +120,8 @@ export function setup_proxy(app: express.Application, auth: string) { let name = header["name"] let value = header["value"] || "" value = value.split("$(kubernetes_token)").join(config.kubernetes_token || "") + value = value.split("$(registry_auth_token)").join(config.registry_auth_token || "") + value = value.split("$(git_auth_token)").join(config.git_auth_token || "") proxyReq.setHeader(name, value) } } diff --git a/workshop-images/base-environment/opt/gateway/src/backend/server.ts b/workshop-images/base-environment/opt/gateway/src/backend/server.ts index 26cd71dd8..16c7d0bc5 100644 --- a/workshop-images/base-environment/opt/gateway/src/backend/server.ts +++ b/workshop-images/base-environment/opt/gateway/src/backend/server.ts @@ -55,15 +55,24 @@ app.set("trust proxy", true) // deliberately added up front so that it isn't gated by authentication. let last_accessed: number = (new Date()).getTime() +let last_exposed: number = (new Date()).getTime() app.get("/session/poll", (req, res) => { last_accessed = (new Date()).getTime() + + const hidden = req.query.hidden + + if (hidden != "true") { + last_exposed = last_accessed + } + res.json({}) }) app.get("/session/activity", (req, res) => { const idle_time = ((new Date()).getTime() - last_accessed) / 1000.0 - res.json({ "idle-time": idle_time }) + const last_view = ((new Date()).getTime() - last_exposed) / 1000.0 + res.json({ "idle-time": idle_time, "last-view": last_view }) }) // Short circuit WebDAV access as it handles its own authentication. diff --git a/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts b/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts index 6dab55558..5938bed2a 100644 --- a/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts +++ b/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts @@ -167,6 +167,7 @@ if (process.env.ENABLE_REGISTRY == "true") { config.variables.push({ name: "registry_auth_file", content: process.env.REGISTRY_AUTH_FILE || "" }) config.variables.push({ name: "registry_username", content: process.env.REGISTRY_USERNAME || "" }) config.variables.push({ name: "registry_password", content: process.env.REGISTRY_PASSWORD || "" }) + config.variables.push({ name: "registry_auth_token", content: process.env.REGISTRY_AUTH_TOKEN || "" }) config.variables.push({ name: "registry_secret", content: process.env.REGISTRY_SECRET || "" }) } @@ -175,6 +176,7 @@ if (process.env.ENABLE_GIT == "true") { config.variables.push({ name: "git_host", content: process.env.GIT_HOST || "" }) config.variables.push({ name: "git_username", content: process.env.GIT_USERNAME || "" }) config.variables.push({ name: "git_password", content: process.env.GIT_PASSWORD || "" }) + config.variables.push({ name: "git_auth_token", content: process.env.GIT_AUTH_TOKEN || "" }) } for (let key in process.env)