diff --git a/Makefile b/Makefile index fcb2f2ed9c..a84483d900 100644 --- a/Makefile +++ b/Makefile @@ -153,10 +153,6 @@ lint-custom: custom-linter-build #EXHELP Call custom linter for the project lint-api-diff: $(GOLANGCI_LINT) #HELP Validate API changes using kube-api-linter with diff-aware analysis hack/api-lint-diff/run.sh -.PHONY: k8s-pin -k8s-pin: #EXHELP Pin k8s staging modules based on k8s.io/kubernetes version (in go.mod or from K8S_IO_K8S_VERSION env var) and run go mod tidy. - K8S_IO_K8S_VERSION='$(K8S_IO_K8S_VERSION)' go run hack/tools/k8smaintainer/main.go - .PHONY: tidy #HELP Run go mod tidy. tidy: go mod tidy @@ -204,7 +200,7 @@ generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyI $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) object:headerFile="hack/boilerplate.go.txt" paths="./..." .PHONY: verify -verify: k8s-pin kind-verify-versions fmt generate manifests update-tls-profiles crd-ref-docs update-registryv1-bundle-schema verify-bingo #HELP Verify all generated code is up-to-date. Runs k8s-pin instead of just tidy. +verify: tidy kind-verify-versions fmt generate manifests update-tls-profiles crd-ref-docs update-registryv1-bundle-schema verify-bingo #HELP Verify all generated code is up-to-date. git diff --exit-code .PHONY: verify-bingo diff --git a/api/v1/clusterextension_types.go b/api/v1/clusterextension_types.go index ee55109f86..bd333f096e 100644 --- a/api/v1/clusterextension_types.go +++ b/api/v1/clusterextension_types.go @@ -66,14 +66,14 @@ type ClusterExtensionSpec struct { // +required Namespace string `json:"namespace"` - // serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - // that are required to manage the extension. - // The ServiceAccount must be configured with the necessary permissions to perform these interactions. - // The ServiceAccount must exist in the namespace referenced in the spec. - // The serviceAccount field is required. + // serviceAccount was previously used to specify a ServiceAccount for managing the extension. + // This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + // for all Kubernetes API interactions. // - // +required - ServiceAccount ServiceAccountReference `json:"serviceAccount"` + // Deprecated: This field is ignored. It will be removed in a future API version. + // + // +optional + ServiceAccount ServiceAccountReference `json:"serviceAccount,omitzero"` // source is required and selects the installation source of content for this ClusterExtension. // Set the sourceType field to perform the selection. @@ -376,7 +376,10 @@ type CatalogFilter struct { UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"` } -// ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension. +// ServiceAccountReference identifies the serviceAccount used to install a ClusterExtension. +// +// Deprecated: This type is deprecated and will be removed in a future API version. +// operator-controller now uses its own ServiceAccount for all operations. type ServiceAccountReference struct { // name is a required, immutable reference to the name of the ServiceAccount used for installation // and management of the content for the package specified in the packageName field. @@ -549,6 +552,10 @@ type ClusterExtensionInstallStatus struct { // +kubebuilder:printcolumn:name=Age,type=date,JSONPath=`.metadata.creationTimestamp` // ClusterExtension is the Schema for the clusterextensions API +// +// WARNING: This is a cluster-admin-only API. Creating a ClusterExtension instructs +// operator-controller to install arbitrary workloads and RBAC, which is equivalent to +// cluster-admin privileges. Only cluster administrators should have write access to this resource. type ClusterExtension struct { metav1.TypeMeta `json:",inline"` diff --git a/api/v1/validation_test.go b/api/v1/validation_test.go index c2f8574930..1395d07428 100644 --- a/api/v1/validation_test.go +++ b/api/v1/validation_test.go @@ -23,9 +23,6 @@ func TestValidate(t *testing.T) { } defaultExtensionSpec := func(s *ClusterExtensionSpec) *ClusterExtensionSpec { s.Namespace = "ns" - s.ServiceAccount = ServiceAccountReference{ - Name: "sa", - } s.Source = SourceConfig{ SourceType: SourceTypeCatalog, Catalog: &CatalogFilter{ diff --git a/applyconfigurations/api/v1/clusterextensionspec.go b/applyconfigurations/api/v1/clusterextensionspec.go index 56c6533923..b654db6f77 100644 --- a/applyconfigurations/api/v1/clusterextensionspec.go +++ b/applyconfigurations/api/v1/clusterextensionspec.go @@ -34,11 +34,11 @@ type ClusterExtensionSpecApplyConfiguration struct { // // [RFC 1123]: https://tools.ietf.org/html/rfc1123 Namespace *string `json:"namespace,omitempty"` - // serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - // that are required to manage the extension. - // The ServiceAccount must be configured with the necessary permissions to perform these interactions. - // The ServiceAccount must exist in the namespace referenced in the spec. - // The serviceAccount field is required. + // serviceAccount was previously used to specify a ServiceAccount for managing the extension. + // This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + // for all Kubernetes API interactions. + // + // Deprecated: This field is ignored. It will be removed in a future API version. ServiceAccount *ServiceAccountReferenceApplyConfiguration `json:"serviceAccount,omitempty"` // source is required and selects the installation source of content for this ClusterExtension. // Set the sourceType field to perform the selection. diff --git a/applyconfigurations/api/v1/serviceaccountreference.go b/applyconfigurations/api/v1/serviceaccountreference.go index 436cab65ff..64969588e2 100644 --- a/applyconfigurations/api/v1/serviceaccountreference.go +++ b/applyconfigurations/api/v1/serviceaccountreference.go @@ -20,7 +20,10 @@ package v1 // ServiceAccountReferenceApplyConfiguration represents a declarative configuration of the ServiceAccountReference type for use // with apply. // -// ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension. +// ServiceAccountReference identifies the serviceAccount used to install a ClusterExtension. +// +// Deprecated: This type is deprecated and will be removed in a future API version. +// operator-controller now uses its own ServiceAccount for all operations. type ServiceAccountReferenceApplyConfiguration struct { // name is a required, immutable reference to the name of the ServiceAccount used for installation // and management of the content for the package specified in the packageName field. diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go index f026c02228..b1410a1170 100644 --- a/cmd/operator-controller/main.go +++ b/cmd/operator-controller/main.go @@ -59,8 +59,6 @@ import ( ocv1 "github.com/operator-framework/operator-controller/api/v1" "github.com/operator-framework/operator-controller/internal/operator-controller/action" "github.com/operator-framework/operator-controller/internal/operator-controller/applier" - "github.com/operator-framework/operator-controller/internal/operator-controller/authentication" - "github.com/operator-framework/operator-controller/internal/operator-controller/authorization" "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache" catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client" "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager" @@ -475,11 +473,10 @@ func run() error { certProvider := getCertificateProvider() regv1ManifestProvider := &applier.RegistryV1ManifestProvider{ - BundleRenderer: registryv1.Renderer, - CertificateProvider: certProvider, - IsWebhookSupportEnabled: certProvider != nil, - IsSingleOwnNamespaceEnabled: features.OperatorControllerFeatureGate.Enabled(features.SingleOwnNamespaceInstallSupport), - IsDeploymentConfigEnabled: features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig), + BundleRenderer: registryv1.Renderer, + CertificateProvider: certProvider, + IsWebhookSupportEnabled: certProvider != nil, + IsDeploymentConfigEnabled: features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig), } var cerCfg reconcilerConfigurator if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) { @@ -599,12 +596,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl return err } - // determine if PreAuthorizer should be enabled based on feature gate - var preAuth authorization.PreAuthorizer - if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) { - preAuth = authorization.NewRBACPreAuthorizer(c.mgr.GetClient()) - } - // TODO: better scheme handling - which types do we want to support? _ = apiextensionsv1.AddToScheme(c.mgr.GetScheme()) rg := &applier.SimpleRevisionGenerator{ @@ -617,7 +608,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl Scheme: c.mgr.GetScheme(), RevisionGenerator: rg, Preflights: c.preflights, - PreAuthorizer: preAuth, FieldOwner: fieldOwner, } revisionStatesGetter := &controllers.BoxcutterRevisionStatesGetter{Reader: c.mgr.GetClient()} @@ -630,9 +620,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl } ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{ controllers.HandleFinalizers(c.finalizers), - controllers.ValidateClusterExtension( - controllers.ServiceAccountValidator(coreClient), - ), controllers.MigrateStorage(storageMigrator), controllers.RetrieveRevisionStates(revisionStatesGetter), controllers.ResolveBundle(c.resolver, c.mgr.GetClient()), @@ -662,29 +649,19 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl return fmt.Errorf("unable to add tracking cache to manager: %v", err) } - cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig()) - if err != nil { - return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err) - } - cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour)) - - revisionEngineFactory, err := controllers.NewDefaultRevisionEngineFactory( + revisionEngine := controllers.NewRevisionEngine( c.mgr.GetScheme(), trackingCache, discoveryClient, c.mgr.GetRESTMapper(), fieldOwnerPrefix, - c.mgr.GetConfig(), - cerTokenGetter, + c.mgr.GetClient(), ) - if err != nil { - return fmt.Errorf("unable to create revision engine factory: %w", err) - } if err = (&controllers.ClusterExtensionRevisionReconciler{ - Client: c.mgr.GetClient(), - RevisionEngineFactory: revisionEngineFactory, - TrackingCache: trackingCache, + Client: c.mgr.GetClient(), + RevisionEngine: revisionEngine, + TrackingCache: trackingCache, }).SetupWithManager(c.mgr); err != nil { return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err) } @@ -696,11 +673,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster if err != nil { return fmt.Errorf("unable to create core client: %w", err) } - tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour)) - clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter) - if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) { - clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper) - } cfgGetter, err := helmclient.NewActionConfigGetter(c.mgr.GetConfig(), c.mgr.GetRESTMapper(), helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, c.mgr.GetAPIReader(), cfg.systemNamespace)), @@ -708,7 +680,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster ext := obj.(*ocv1.ClusterExtension) return ext.Spec.Namespace, nil }), - helmclient.ClientRestConfigMapper(clientRestConfigMapper), ) if err != nil { return fmt.Errorf("unable to create helm action config getter: %w", err) @@ -721,24 +692,20 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster return fmt.Errorf("unable to create helm action client getter: %w", err) } - // determine if PreAuthorizer should be enabled based on feature gate - var preAuth authorization.PreAuthorizer - if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) { - preAuth = authorization.NewRBACPreAuthorizer(c.mgr.GetClient()) + cm, err := contentmanager.NewManager(c.mgr.GetConfig(), c.mgr.GetRESTMapper()) + if err != nil { + setupLog.Error(err, "unable to create content manager") + return err } - - cm := contentmanager.NewManager(clientRestConfigMapper, c.mgr.GetConfig(), c.mgr.GetRESTMapper()) err = c.finalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) { - ext := obj.(*ocv1.ClusterExtension) - err := cm.Delete(ext) - return crfinalizer.Result{}, err + cm.Delete(ctx, obj.GetName()) + return crfinalizer.Result{}, nil })) if err != nil { setupLog.Error(err, "unable to register content manager cleanup finalizer") return err } - // now initialize the helmApplier, assigning the potentially nil preAuth appl := &applier.Helm{ ActionClientGetter: acg, Preflights: c.preflights, @@ -746,16 +713,12 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster ManifestProvider: c.regv1ManifestProvider, }, HelmReleaseToObjectsConverter: &applier.HelmReleaseToObjectsConverter{}, - PreAuthorizer: preAuth, Watcher: c.watcher, Manager: cm, } revisionStatesGetter := &controllers.HelmRevisionStatesGetter{ActionClientGetter: acg} ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{ controllers.HandleFinalizers(c.finalizers), - controllers.ValidateClusterExtension( - controllers.ServiceAccountValidator(coreClient), - ), controllers.RetrieveRevisionStates(revisionStatesGetter), controllers.ResolveBundle(c.resolver, c.mgr.GetClient()), controllers.UnpackBundle(c.imagePuller, c.imageCache), diff --git a/config/samples/olm_v1_clusterextension.yaml b/config/samples/olm_v1_clusterextension.yaml index 14c8e167e0..658746dbaf 100644 --- a/config/samples/olm_v1_clusterextension.yaml +++ b/config/samples/olm_v1_clusterextension.yaml @@ -4,284 +4,12 @@ kind: Namespace metadata: name: argocd --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-installer - namespace: argocd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-installer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-installer-clusterrole -subjects: -- kind: ServiceAccount - name: argocd-installer - namespace: argocd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-installer-clusterrole -rules: -# Allow ClusterExtension to set blockOwnerDeletion ownerReferences -- apiGroups: [olm.operatorframework.io] - resources: [clusterextensions/finalizers] - verbs: [update] - resourceNames: [argocd] -# Allow ClusterExtensionRevisions to set blockOwnerDeletion ownerReferences -- apiGroups: [olm.operatorframework.io] - resources: [clusterextensionrevisions/finalizers] - verbs: [update] -# Manage ArgoCD CRDs -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [create, list, watch] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, update, patch, delete] - resourceNames: - - appprojects.argoproj.io - - argocds.argoproj.io - - applications.argoproj.io - - argocdexports.argoproj.io - - applicationsets.argoproj.io -# Manage ArgoCD ClusterRoles and ClusterRoleBindings -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [create, list, watch] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [get, update, patch, delete] - resourceNames: - - argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx - - argocd-operator-metrics-reader - - argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [create, list, watch] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [get, update, patch, delete] - resourceNames: - - argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx - - argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-installer-rbac-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-installer-rbac-clusterrole -subjects: -- kind: ServiceAccount - name: argocd-installer - namespace: argocd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-installer-rbac-clusterrole -rules: -# ArgoCD's operator requires the following permissions, which means the -# installer also needs them in order to create ArgoCD's RBAC objects. -- apiGroups: [""] - resources: [configmaps] - verbs: ['*'] -- apiGroups: [""] - resources: [endpoints] - verbs: ['*'] -- apiGroups: [""] - resources: [events] - verbs: ['*'] -- apiGroups: [""] - resources: [namespaces] - verbs: ['*'] -- apiGroups: [""] - resources: [persistentvolumeclaims] - verbs: ['*'] -- apiGroups: [""] - resources: [pods] - verbs: ['*', get] -- apiGroups: [""] - resources: [pods/log] - verbs: [get] -- apiGroups: [""] - resources: [secrets] - verbs: ['*'] -- apiGroups: [""] - resources: [serviceaccounts] - verbs: ['*'] -- apiGroups: [""] - resources: [services] - verbs: ['*'] -- apiGroups: [""] - resources: [services/finalizers] - verbs: ['*'] -- apiGroups: [apps] - resources: [daemonsets] - verbs: ['*'] -- apiGroups: [apps] - resources: [deployments] - verbs: ['*'] -- apiGroups: [apps] - resources: [deployments/finalizers] - resourceNames: [argocd-operator] - verbs: [update] -- apiGroups: [apps] - resources: [replicasets] - verbs: ['*'] -- apiGroups: [apps] - resources: [statefulsets] - verbs: ['*'] -- apiGroups: [apps.openshift.io] - resources: [deploymentconfigs] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [applications] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [appprojects] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocdexports] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocdexports/finalizers] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocdexports/status] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocds] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocds/finalizers] - verbs: ['*'] -- apiGroups: [argoproj.io] - resources: [argocds/status] - verbs: ['*'] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] -- apiGroups: [autoscaling] - resources: [horizontalpodautoscalers] - verbs: ['*'] -- apiGroups: [batch] - resources: [cronjobs] - verbs: ['*'] -- apiGroups: [batch] - resources: [jobs] - verbs: ['*'] -- apiGroups: [config.openshift.io] - resources: [clusterversions] - verbs: [get, list, watch] -- apiGroups: [monitoring.coreos.com] - resources: [prometheuses] - verbs: ['*'] -- apiGroups: [monitoring.coreos.com] - resources: [servicemonitors] - verbs: ['*'] -- apiGroups: [networking.k8s.io] - resources: [ingresses] - verbs: ['*'] -- apiGroups: [oauth.openshift.io] - resources: [oauthclients] - verbs: [create, delete, get, list, patch, update, watch] -- apiGroups: [rbac.authorization.k8s.io] - resources: ['*'] - verbs: ['*'] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: ['*'] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: ['*'] -- apiGroups: [route.openshift.io] - resources: [routes] - verbs: ['*'] -- apiGroups: [route.openshift.io] - resources: [routes/custom-host] - verbs: ['*'] -- apiGroups: [template.openshift.io] - resources: [templateconfigs] - verbs: ['*'] -- apiGroups: [template.openshift.io] - resources: [templateinstances] - verbs: ['*'] -- apiGroups: [template.openshift.io] - resources: [templates] - verbs: ['*'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-installer-role - namespace: argocd -rules: -- apiGroups: [""] - resources: [serviceaccounts] - verbs: [create, list, watch] -- apiGroups: [""] - resources: [serviceaccounts] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager] -- apiGroups: [""] - resources: [configmaps] - verbs: [create, list, watch] -- apiGroups: [coordination.k8s.io] - resources: [leases] - verbs: [get, list, watch, create, update, patch, delete] -- apiGroups: [""] - resources: [configmaps] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-manager-config] -- apiGroups: [""] - resources: [services] - verbs: [create, list, watch] -- apiGroups: [""] - resources: [services] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager-metrics-service] -- apiGroups: [apps] - resources: [deployments] - verbs: [create, list, watch] -- apiGroups: [apps] - resources: [deployments] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-installer-binding - namespace: argocd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-installer-role -subjects: -- kind: ServiceAccount - name: argocd-installer - namespace: argocd ---- apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: diff --git a/docs/api-reference/olmv1-api-reference.md b/docs/api-reference/olmv1-api-reference.md index 3ee7f19386..0322bbc36a 100644 --- a/docs/api-reference/olmv1-api-reference.md +++ b/docs/api-reference/olmv1-api-reference.md @@ -223,6 +223,10 @@ _Appears in:_ ClusterExtension is the Schema for the clusterextensions API +WARNING: This is a cluster-admin-only API. Creating a ClusterExtension instructs +operator-controller to install arbitrary workloads and RBAC, which is equivalent to +cluster-admin privileges. Only cluster administrators should have write access to this resource. + _Appears in:_ @@ -340,7 +344,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `namespace` _string_ | namespace specifies a Kubernetes namespace.
This is the namespace where the provided ServiceAccount must exist.
It also designates the default namespace where namespace-scoped resources for the extension are applied to the cluster.
Some extensions may contain namespace-scoped resources to be applied in other namespaces.
This namespace must exist.
The namespace field is required, immutable, and follows the DNS label standard as defined in [RFC 1123].
It must contain only lowercase alphanumeric characters or hyphens (-), start and end with an alphanumeric character,
and be no longer than 63 characters.
[RFC 1123]: https://tools.ietf.org/html/rfc1123 | | MaxLength: 63
Required: \{\}
| -| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster
that are required to manage the extension.
The ServiceAccount must be configured with the necessary permissions to perform these interactions.
The ServiceAccount must exist in the namespace referenced in the spec.
The serviceAccount field is required. | | Required: \{\}
| +| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount was previously used to specify a ServiceAccount for managing the extension.
This field is now deprecated and ignored. operator-controller uses its own ServiceAccount
for all Kubernetes API interactions.
Deprecated: This field is ignored. It will be removed in a future API version. | | Optional: \{\}
| | `source` _[SourceConfig](#sourceconfig)_ | source is required and selects the installation source of content for this ClusterExtension.
Set the sourceType field to perform the selection.
Catalog is currently the only implemented sourceType.
Setting sourceType to "Catalog" requires the catalog field to also be defined.
Below is a minimal example of a source definition (in yaml):
source:
sourceType: Catalog
catalog:
packageName: example-package | | Required: \{\}
| | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is optional and configures installation options for the ClusterExtension,
such as the pre-flight check configuration. | | Optional: \{\}
| | `config` _[ClusterExtensionConfig](#clusterextensionconfig)_ | config is optional and specifies bundle-specific configuration.
Configuration is bundle-specific and a bundle may provide a configuration schema.
When not specified, the default configuration of the resolved bundle is used.
config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide
a configuration schema the bundle is deemed to not be configurable. More information on how
to configure bundles can be found in the OLM documentation associated with your current OLM version. | | Optional: \{\}
| @@ -458,7 +462,10 @@ _Appears in:_ -ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension. +ServiceAccountReference identifies the serviceAccount used to install a ClusterExtension. + +Deprecated: This type is deprecated and will be removed in a future API version. +operator-controller now uses its own ServiceAccount for all operations. diff --git a/docs/concepts/controlling-catalog-selection.md b/docs/concepts/controlling-catalog-selection.md index 384b7faf34..e4d77ae7d5 100644 --- a/docs/concepts/controlling-catalog-selection.md +++ b/docs/concepts/controlling-catalog-selection.md @@ -24,8 +24,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -50,8 +48,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -72,8 +68,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -102,8 +96,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -127,8 +119,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -226,8 +216,6 @@ If the system cannot resolve to a single bundle due to ambiguity, it will genera name: install-my-operator spec: namespace: my-operator-ns - serviceAccount: - name: my-operator-installer source: sourceType: Catalog catalog: diff --git a/docs/concepts/crd-upgrade-safety.md b/docs/concepts/crd-upgrade-safety.md index 53aef8f69e..7eeb532d77 100644 --- a/docs/concepts/crd-upgrade-safety.md +++ b/docs/concepts/crd-upgrade-safety.md @@ -62,8 +62,6 @@ metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: diff --git a/docs/concepts/permission-model.md b/docs/concepts/permission-model.md index cc23b7c959..73a19e1672 100644 --- a/docs/concepts/permission-model.md +++ b/docs/concepts/permission-model.md @@ -1,29 +1,23 @@ #### OLMv1 Permission Model -Here we aim to describe the OLMv1 permission model. OLMv1 itself does not have cluster-wide admin permissions. Therefore, each cluster extension must specify a service account with sufficient permissions to install and manage it. While this service account is distinct from any service account defined in the bundle, it will need sufficient privileges to create and assign the required RBAC. Therefore, the cluster extension service account's privileges would be a superset of the privileges required by the service account in the bundle. +OLM v1's permission model is built on a simple principle: **operator-controller runs as cluster-admin**, and the security boundary is defined by who can create and modify `ClusterExtension` and `ClusterCatalog` resources. -To understand the permission model, lets see the scope of the the service accounts associated with ClusterExtension deployment: +#### How It Works -#### Service Account associated with the ClusterExtension CR +1. **operator-controller** runs with `cluster-admin` privileges, giving it full authority to install and manage extension lifecycle resources (CRDs, Deployments, RBAC, etc.) on behalf of `ClusterExtension` objects. +2. **Security is enforced via RBAC on the OLM APIs themselves.** Only cluster administrators should have `create`, `update`, or `delete` permissions on `ClusterExtension` and `ClusterCatalog` resources. +3. **Creating a `ClusterExtension` is equivalent to having cluster-admin privileges**, because it instructs operator-controller to install arbitrary workloads and RBAC. Cluster administrators must not grant non-admin users write access to these APIs. -1) The ClusterExtension CR defines a service account to deploy and manage the ClusterExtension lifecycle and can be derived using the [document](../howto/derive-service-account.md). It is specified in the ClusterExtension [yaml](../tutorials/install-extension#L71) while deploying a ClusterExtension. -2) The purpose of the service account specified in the ClusterExtension spec is to manage the cluster extension lifecycle. Its permissions are the cumulative of the permissions required for managing the cluster extension lifecycle and any RBAC that maybe included in the extension bundle. -3) Since the extension bundle contains its own RBAC, it means the ClusterExtension service account requires either: -- the same set of permissions that are defined in the RBAC that it is trying to create. -- bind/escalate verbs for RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping +#### Security Considerations -#### Service Account/(s) part of the Extension Bundle -1) The contents of the extension bundle may contain more service accounts and RBAC. -2) The OLMv1 operator-controller creates the service account/(s) defined as part of the extension bundle with the required RBAC for the controller business logic. +!!! warning + `ClusterExtension` and `ClusterCatalog` are **cluster-admin-only APIs**. Granting non-admin users + `create`, `update`, or `delete` access on these resources is equivalent to granting them cluster-admin + privileges. -##### Example: +- Cluster admins must audit RBAC to ensure only trusted users can manage `ClusterExtension` and `ClusterCatalog` resources. +- The rationale for this model is explained in the [Design Decisions](../project/olmv1_design_decisions.md) document. -Lets consider deployment of the ArgoCD operator. The ClusterExtension ClusterResource specifies a service account as part of its spec, usually denoted as the ClusterExtension installer service account. -The ArgoCD operator specifies the `argocd-operator-controller-manager` [service account](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1124) with necessary RBAC for the bundle resources and OLMv1 creates it as part of this extension bundle deployment. +#### Extension Resources -The extension bundle CSV contains the [permissions](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1091) and [cluster permissions](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L872) allow the operator to manage and run the controller logic. These permissions are assigned to the `argocd-operator-controller-manager` service account when the operator bundle is deployed. - -OLM v1 will assign all the RBAC specified in the extension bundle to the above service account. -The ClusterExtension installer service account will need all the RBAC specified for the `argocd-operator-controller-manager` and additional RBAC for deploying the ClusterExtension. - -**Note**: The ClusterExtension permissions are not propogated to the deployment. The ClusterExtension service account and the bundle's service accounts have different purposes and naming conflicts between the two service accounts can lead to failure of ClusterExtension deployment. +operator-controller installs and manages all resources declared in an extension's bundle, including any ServiceAccounts, RBAC, Deployments, and other Kubernetes objects. These resources are distinct from operator-controller's own service account and are scoped to whatever the bundle declares. diff --git a/docs/concepts/upgrade-support.md b/docs/concepts/upgrade-support.md index 8ad7d589ad..2bb41173af 100644 --- a/docs/concepts/upgrade-support.md +++ b/docs/concepts/upgrade-support.md @@ -46,8 +46,6 @@ metadata: name: spec: namespace: - serviceAccount: - name: source: sourceType: Catalog catalog: @@ -98,8 +96,6 @@ metadata: name: extension-sample spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: diff --git a/docs/draft/howto/configure-bundles.md b/docs/draft/howto/configure-bundles.md index 1cdd82739d..3f4f2ec0b1 100644 --- a/docs/draft/howto/configure-bundles.md +++ b/docs/draft/howto/configure-bundles.md @@ -1,101 +1,28 @@ ## Description -!!! note -This feature is still `experimental` and the `SingleOwnNamespaceInstallSupport` feature-gate must be enabled to make use of it. -See the instructions below on how to enable it. +# Configuring OLM v1 Extensions: Deployment Configuration ---- +In OLM v1, extensions are configured through the `ClusterExtension` resource. This guide explains how to customize operator deployments using the `deploymentConfig` option. -# Configuring OLM v1 Extensions: Migration and Reference +## Deployment Configuration -In OLM v1, the way extensions are configured has changed significantly to improve flexibility and consistency. This guide explains the architectural shift from OLM v0, how to inspect bundles for supported configurations, and how to correctly configure `registry+v1` (legacy) bundles using the new `ClusterExtension` API. +The `deploymentConfig` option allows you to customize operator deployments with environment variables, resource limits, node selectors, tolerations, and other settings. This follows the same structure as OLM v0's `Subscription.spec.config`. -## OLM v0 vs. OLM v1: The Configuration Shift +### Available Fields -In **OLM v0**, configuration was split across multiple resources and concepts. "Install Modes" (defining which namespaces an Operator watches) were handled by the `OperatorGroup` resource, while operand configuration (environment variables, resource limits) was handled via the `Subscription` resource. +| Field | Description | +|:----------------|:------------------------------------------------------| +| `env` | Environment variables to set on the operator container | +| `envFrom` | Sources for environment variables | +| `resources` | CPU/memory resource requests and limits | +| `nodeSelector` | Node labels for pod scheduling | +| `tolerations` | Tolerations for node taints | +| `volumes` | Additional volumes to mount | +| `volumeMounts` | Volume mount paths for the operator container | +| `affinity` | Pod scheduling affinity rules | +| `annotations` | Additional annotations to add to the deployment | -In **OLM v1**, these concepts are unified under the **ClusterExtension** resource. - -| Feature | OLM v0 Approach | OLM v1 Approach | -|:--------------------|:----------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------| -| **Namespace Scope** | Defined by **OperatorGroup**. You had to pre-create an OperatorGroup to tell the Operator where to watch. | Defined by **Configuration**. You provide a `watchNamespace` value directly in the `ClusterExtension` YAML. | -| **User Settings** | `Subscription.spec.config` (e.g., env, resources). | `ClusterExtension.spec.config.inline` (arbitrary JSON/YAML defined by the bundle author). | -| **Multi-Tenancy** | "Install Modes" allowed multiple instances of an operator to exist. | "Install Modes" are treated as **bundle configuration**. You install the extension once, and configure it to watch specific areas. | - -### The `watchNamespace` Configuration - -For existing `registry+v1` bundles (standard OLM bundles), OLM v1 automatically generates a configuration schema based on the bundle's capabilities. The primary configuration field available is `watchNamespace`. - -* **OLM v0:** You selected `SingleNamespace` mode by creating an `OperatorGroup` that targeted a specific namespace. -* **OLM v1:** You set `watchNamespace: "my-target-namespace"` inside the `ClusterExtension` config. - -## Step 1: Identifying Bundle Capabilities - -Before configuring a bundle, you must understand which Install Modes it supports. OLM v1 does not allow you to force a configuration that the bundle author has not explicitly supported. - -You can inspect a bundle image using the `opm` CLI tool and `jq` to parse the output. - -**Prerequisites:** -* `opm` CLI installed. -* `jq` installed. - -**Command:** - -Run the following command, replacing `` with your target image (e.g., `quay.io/example/my-operator-bundle:v1.0.0`). - -```bash -opm render -o json | \ -jq 'select(.schema == "olm.bundle") | .properties[] | select(.type == "olm.csv") | .value.spec.installModes' -``` - -**Example Output:** - -```json -[ - { - "type": "OwnNamespace", - "supported": true - }, - { - "type": "SingleNamespace", - "supported": true - }, - { - "type": "MultiNamespace", - "supported": false - }, - { - "type": "AllNamespaces", - "supported": false - } -] -``` - -By analyzing which modes are marked `true`, you can determine how to configure the `ClusterExtension` in the next step. - -## Step 2: Capability Matrix & Configuration Guide - -Use the output from Step 1 to locate your bundle's capabilities in the matrix below. This determines if you *must* provide configuration, if it is optional, and what values are valid. - -### Legend -* **Install Namespace:** The namespace where the Operator logic (Pod) runs (defined in `ClusterExtension.spec.namespace`). -* **Watch Namespace:** The namespace the Operator monitors for Custom Resources (defined in `spec.config.inline.watchNamespace`). - -### Configuration Matrix - -| Capabilities Detected (from `opm`) | `watchNamespace` Field Status | Valid Values / Constraints | -|:-----------------------------------------|:------------------------------|:----------------------------------------------------------------------------------------------------------| -| **OwnNamespace ONLY** | **Required** | Must be exactly the same as the **Install Namespace**. | -| **SingleNamespace ONLY** | **Required** | Must be **different** from the Install Namespace. | -| **OwnNamespace** AND **SingleNamespace** | **Required** | Can be **any** namespace (either the install namespace or a different one). | -| **AllNamespaces** (regardless of others) | **Optional** | If omitted: defaults to Cluster-wide watch.
If provided: can be any specific namespace (limits scope). | - -### Common Configuration Scenarios - -#### Scenario A: The Legacy "OwnNamespace" Operator -* **Capability:** Only supports `OwnNamespace`. -* **Requirement:** The operator is hardcoded to watch its own namespace. -* **Config:** You must explicitly set `watchNamespace` to match the installation namespace. +### Example: Setting Environment Variables and Resource Limits ```yaml apiVersion: olm.operatorframework.io/v1 @@ -103,70 +30,57 @@ kind: ClusterExtension metadata: name: my-operator spec: - namespace: my-operator-ns # <--- Install Namespace - serviceAccount: - name: my-sa + namespace: my-operator-ns config: configType: Inline inline: - watchNamespace: my-operator-ns # <--- MUST match Install Namespace + deploymentConfig: + env: + - name: LOG_LEVEL + value: debug + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" source: sourceType: Catalog catalog: packageName: my-package ``` -#### Scenario B: The "SingleNamespace" Operator -* **Capability:** Supports `SingleNamespace` (but not `OwnNamespace`). -* **Requirement:** The operator runs in one namespace (e.g., `ops-system`) but watches workloads in another (e.g., `dev-team-a`). -* **Config:** You must set `watchNamespace` to the target workload namespace. +### Example: Node Scheduling ```yaml apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension metadata: - name: monitor-operator + name: my-operator spec: - namespace: ops-system # <--- Install Namespace - serviceAccount: - name: monitor-operator-installer - source: - sourceType: Catalog - catalog: - packageName: monitor-operator + namespace: my-operator-ns config: configType: Inline inline: - watchNamespace: dev-team-a # <--- MUST differ from Install Namespace -``` - -#### Scenario C: The Modern "AllNamespaces" Operator -* **Capability:** Only supports `AllNamespaces`. - -```yaml -apiVersion: olm.operatorframework.io/v1 -kind: ClusterExtension -metadata: - name: global-operator -spec: - namespace: operators - # No config provided = Operator watches the entire cluster (AllNamespaces) - serviceAccount: - name: global-operator-installer + deploymentConfig: + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: "node-role.kubernetes.io/infra" + operator: "Exists" + effect: "NoSchedule" source: sourceType: Catalog catalog: - packageName: global-operator + packageName: my-package ``` - ## Troubleshooting Configuration Errors OLM v1 validates your configuration against the bundle's schema before installation proceeds. If your configuration is invalid, the `ClusterExtension` will report a `Progressing` condition with an error message. -| Error Message Example | Cause | Solution | -|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------| -| `required field "watchNamespace" is missing` | The bundle does not support `AllNamespaces` default mode. | Add the `inline` block and specify a `watchNamespace`. | -| `invalid value "X": watchNamespace must be "Y" (the namespace where the operator is installed) because this operator only supports OwnNamespace install mode` | You tried to set a different watch namespace for an `OwnNamespace`-only bundle. | Change `watchNamespace` to match `spec.namespace`. | -| `invalid value "X": watchNamespace must be different from "Y" (the install namespace) because this operator uses SingleNamespace install mode to watch a different namespace` | You tried to set the watch namespace to the install namespace for a `SingleNamespace`-only bundle. | Change `watchNamespace` to a different target namespace. | -| `unknown field "foo"` | You added extra fields to the inline config. | Remove fields other than `watchNamespace` (unless the bundle author explicitly documents extra schema support). | +| Error Message Example | Cause | Solution | +|:--------------------------------|:---------------------------------------------|:---------------------------------------------------------| +| `unknown field "foo"` | You added fields not in the config schema. | Remove unsupported fields from the inline config. | +| `invalid type for field "..."` | A field has the wrong type (e.g., string instead of array). | Check the expected type and correct the value. | diff --git a/docs/draft/howto/enable-helm-chart-support.md b/docs/draft/howto/enable-helm-chart-support.md index 44d083707c..860690c898 100644 --- a/docs/draft/howto/enable-helm-chart-support.md +++ b/docs/draft/howto/enable-helm-chart-support.md @@ -396,8 +396,6 @@ In addition to the OCI registry, you will need a ClusterCatalog in the Kubernete namespace: metrics-server-system spec: namespace: metrics-server-system - serviceAccount: - name: metrics-server-installer source: sourceType: Catalog catalog: diff --git a/docs/draft/howto/rbac-permissions-checking.md b/docs/draft/howto/rbac-permissions-checking.md deleted file mode 100644 index 04c13bf0ce..0000000000 --- a/docs/draft/howto/rbac-permissions-checking.md +++ /dev/null @@ -1,54 +0,0 @@ -# How To Get Your Cluster Extension RBAC Right — Working with the Preflight Permissions Check - -Cluster Extensions in Operator Lifecycle Manager (OLM) v1 are installed and managed via a **service account** that you (the cluster admin) provide. Unlike OLM v0, OLM v1 itself doesn’t have cluster-admin privileges to grant Operators the access they need – **you** must ensure the service account has all necessary Role-Based Access Control (RBAC) permissions. If the service account is missing permissions, the extension’s installation will fail or hang. To address this, the **operator-controller** now performs a **preflight permissions check** before installing an extension. This check identifies any missing RBAC permissions up front and surfaces them to you so that you can fix the issues. - -## Understanding the Preflight Permissions Check - -When you create a `ClusterExtension` Custom Resource (CR) to install an Operator extension, the operator-controller will do a dry-run of the installation and verify that the specified service account can perform all the actions required by that extension. This includes creating all the Kubernetes objects in the bundle (Deployments, Services, CRDs, etc.), as well as creating any RBAC roles or bindings that the extension’s bundle defines. - -If any required permission is missing, the preflight check will **fail fast** *before* attempting the real installation. Instead of proceeding, the operator-controller records which permissions are missing. You’ll find this information in two places: - -- **ClusterExtension Status Conditions:** The `ClusterExtension` CR will have a condition (such as **Progressing** or **Installing**) with a message describing the missing permissions. The condition’s reason may be set to “Retrying” (meaning the controller will periodically retry the install) and the message will start with “pre-authorization failed: …”. -- **Operator-Controller Logs:** The same message is also logged by the operator-controller pod. If you have access to the operator-controller’s logs (in namespace `olm-controller` on OpenShift), you can see the detailed RBAC errors there as well. - -### Interpreting the Preflight Check Output - -The preflight check’s output enumerates the **RBAC rules** that the service account is missing. Each missing permission is listed in a structured format. For example, a message might say: - -``` -service account requires the following permissions to manage cluster extension: - Namespace:"" APIGroups:[] Resources:[services] Verbs:[list,watch] - Namespace:"pipelines" APIGroups:[] Resources:[secrets] Verbs:[get] -``` - -Let’s break down how to read this output: - -- **`Namespace:""`** – An empty namespace in quotes means the permission is needed at the **cluster scope** (not limited to a single namespace). In the example above, `Namespace:""` for Services indicates the service account needs the ability to list/watch Services cluster-wide. -- **`APIGroups:[]`** – An empty API group (`[]`) means the **core API group** (no group). For instance, core resources like Services, Secrets, ConfigMaps have `APIGroups:[]`. If the resource is part of a named API group (e.g. `apps`, `apiextensions.k8s.io`), that group would be listed here. -- **`Resources:[...]`** – The resource type that’s missing permissions. e.g. `services`, `secrets`, `customresourcedefinitions`. -- **`Verbs:[...]`** – The specific actions (verbs) that the service account is not allowed to do for that resource. Multiple verbs listed together means none of those verbs are permitted (and are all required). - -A few special cases to note: - -- **Privilege Escalation Cases:** If the extension’s bundle includes the creation of a Role or ClusterRole, the service account needs to have at least the permissions it is trying to grant. If not, the preflight check will report those verbs as missing to prevent privilege escalation. -- **Missing Role References (Resolution Errors):** If an Operator’s bundle references an existing ClusterRole or Role that is not found, the preflight check will report an “authorization evaluation error” listing the missing role. - -## Resolving Common RBAC Permission Errors - -Once you understand what each missing permission is, the fix is usually straightforward: **grant the service account those permissions**. Here are common scenarios and how to address them: - -- **Missing resource permissions (verbs):** Update or create a (Cluster)Role and RoleBinding/ClusterRoleBinding to grant the missing verbs on the resources in the specified namespaces or at cluster scope. -- **Privilege escalation missing permissions:** Treat these missing verbs as required for the installer as well, granting the service account those rights so it can create the roles it needs. -- **Missing roles/clusterroles:** Ensure any referenced roles exist by creating them or adjusting the extension’s expectations. - -## Demo Scenario (OpenShift) - -Below is an example demo you can run on OpenShift to see the preflight check in action: - -1. **Create a minimal ServiceAccount and ClusterRole** that lacks key permissions (e.g., missing list/watch on Services and create on CRDs). -2. **Apply a ClusterExtension** pointing to the Pipelines Operator package, specifying the above service account. -3. **Describe the ClusterExtension** (`oc describe clusterextension pipelines-operator`) to see the preflight “pre-authorization failed” errors listing missing permissions. -4. **Update the ClusterRole** to include the missing verbs. -5. **Reapply the role** and observe the ClusterExtension status clear and the operator proceed with installation. - -By following this guide and using the preflight output, you can iteratively grant exactly the permissions needed—no more, no less—ensuring your cluster extensions install reliably and securely. diff --git a/docs/draft/howto/single-ownnamespace-install.md b/docs/draft/howto/single-ownnamespace-install.md deleted file mode 100644 index 4152946871..0000000000 --- a/docs/draft/howto/single-ownnamespace-install.md +++ /dev/null @@ -1,116 +0,0 @@ -## Description - -!!! note -The `SingleOwnNamespaceInstallSupport` feature-gate is enabled by default. Use this guide to configure bundles that need Single or Own namespace install modes. - ---- - -A component of OLMv0's multi-tenancy feature is its support of four [*installModes*](https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/#targetnamespaces-and-their-relationship-to-installmodes): -for operator installation: - - - *OwnNamespace*: If supported, the operator can be configured to watch for events in the namespace it is deployed in. - - *SingleNamespace*: If supported, the operator can be configured to watch for events in a single namespace that the operator is not deployed in. - - *MultiNamespace*: If supported, the operator can be configured to watch for events in more than one namespace. - - *AllNamespaces*: If supported, the operator can be configured to watch for events in all namespaces. - -OLMv1 will not attempt multi-tenancy (see [design decisions document](../../project/olmv1_design_decisions.md)) and will think of operators -as globally installed, i.e. in OLMv0 parlance, as installed in *AllNamespaces* mode. However, there are operators that -were intended only for the *SingleNamespace* and *OwnNamespace* install modes. In order to make these operators installable in v1 while they -transition to the new model, v1 is adding support for these two new *installModes*. It should be noted that, in line with v1's no multi-tenancy policy, -users will not be able to install the same operator multiple times, and that in future iterations of the registry bundle format will not -include *installModes*. - -## Demos - -### SingleNamespace Install - -[![SingleNamespace Install Demo](https://asciinema.org/a/w1IW0xWi1S9cKQFb9jnR07mgh.svg)](https://asciinema.org/a/w1IW0xWi1S9cKQFb9jnR07mgh) - -### OwnNamespace Install - -[![OwnNamespace Install Demo](https://asciinema.org/a/Rxx6WUwAU016bXFDW74XLcM5i.svg)](https://asciinema.org/a/Rxx6WUwAU016bXFDW74XLcM5i) - -## Configuring the `ClusterExtension` - -A `ClusterExtension` can be configured to install bundle in `Single-` or `OwnNamespace` mode through the -`.spec.config.inline.watchNamespace` property which may or may not be present or required depending on the bundle's -install mode support, if the bundle: - - - only supports *AllNamespaces* mode => `watchNamespace` is not a configuration - - supports *AllNamespaces* and *SingleNamespace* and/or *OwnNamespace* => `watchNamespace` is optional - - bundle only supports *SingleNamespace* and/or *OwnNamespace* => `watchNamespace` is required - -The `watchNamespace` configuration can only be the install namespace if the bundle supports the *OwnNamespace* install mode, and -it can only be any other namespace if the bundle supports the *SingleNamespace* install mode. - -Examples: - -Bundle only supports *AllNamespaces*: -- `watchNamespace` is not a configuration -- bundle will be installed in *AllNamespaces* mode - -Bundle only supports *OwnNamespace*: -- `watchNamespace` is required -- `watchNamespace` must be the install namespace -- bundle will always be installed in *OwnNamespace* mode - -Bundle supports *AllNamespace* and *OwnNamespace*: -- `watchNamespace` is optional -- if `watchNamespace` = install namespace => bundle will be installed in *OwnNamespace* mode -- if `watchNamespace` is null or not set => bundle will be installed in *AllNamespaces* mode -- if `watchNamespace` != install namespace => error - -Bundle only supports *SingleNamespace*: -- `watchNamespace` is required -- `watchNamespace` must *NOT* be the install namespace -- bundle will always be installed in *SingleNamespace* mode - -Bundle supports *AllNamespaces*, *SingleNamespace*, and *OwnNamespace* install modes: -- `watchNamespace` can be optionally configured -- if `watchNamespace` = install namespace => bundle will be installed in *OwnNamespace* mode -- if `watchNamespace` != install namespace => bundle will be installed in *SingleNamespace* mode -- if `watchNamespace` is null or not set => bundle will be installed in *AllNamespaces* mode - -### Examples - -``` terminal title="SingleNamespace install mode example" -kubectl apply -f - <" -and group "olm:clusterextensions" limiting Kubernetes API access scope to those defined for this user and group. These -users and group do not exist beyond being defined in Cluster/RoleBinding(s) and can only be impersonated by clients with - `impersonate` verb permissions on the `users` and `groups` resources. - -### Demo - -[![asciicast](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi.svg)](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi) - -#### Examples: - -##### ClusterExtension management as cluster-admin - -To enable ClusterExtensions management as cluster-admin, bind the `cluster-admin` cluster role to the `olm:clusterextensions` -group: - -``` -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterextensions-group-admin-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: Group - name: "olm:clusterextensions" -``` - -##### Scoped olm:clusterextension group + Added perms on specific extensions - -Give ClusterExtension management group broad permissions to manage ClusterExtensions denying potentially dangerous -permissions such as being able to read cluster wide secrets: - -``` -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: clusterextension-installer -rules: - - apiGroups: [ olm.operatorframework.io ] - resources: [ clusterextensions/finalizers ] - verbs: [ update ] - - apiGroups: [ apiextensions.k8s.io ] - resources: [ customresourcedefinitions ] - verbs: [ create, list, watch, get, update, patch, delete ] - - apiGroups: [ rbac.authorization.k8s.io ] - resources: [ clusterroles, roles, clusterrolebindings, rolebindings ] - verbs: [ create, list, watch, get, update, patch, delete ] - - apiGroups: [""] - resources: [configmaps, endpoints, events, pods, pod/logs, serviceaccounts, services, services/finalizers, namespaces, persistentvolumeclaims] - verbs: ['*'] - - apiGroups: [apps] - resources: [ '*' ] - verbs: ['*'] - - apiGroups: [ batch ] - resources: [ '*' ] - verbs: [ '*' ] - - apiGroups: [ networking.k8s.io ] - resources: [ '*' ] - verbs: [ '*' ] - - apiGroups: [authentication.k8s.io] - resources: [tokenreviews, subjectaccessreviews] - verbs: [create] -``` - -``` -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterextension-installer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: clusterextension-installer -subjects: -- kind: Group - name: "olm:clusterextensions" -``` - -Give a specific ClusterExtension secrets access, maybe even on specific namespaces: - -``` -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: clusterextension-privileged -rules: -- apiGroups: [""] - resources: [secrets] - verbs: ['*'] -``` - -``` -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: clusterextension-privileged-binding - namespace: -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: clusterextension-privileged -subjects: -- kind: User - name: "olm:clusterextensions:argocd-operator" -``` - -Note: In this example the ClusterExtension user (or group) will still need to be updated to be able to manage -the CRs coming from the argocd operator. Some look ahead and RBAC permission wrangling will still be required. diff --git a/docs/draft/project/single-tenant-simplification.md b/docs/draft/project/single-tenant-simplification.md new file mode 100644 index 0000000000..cba92b92b3 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification.md @@ -0,0 +1,240 @@ +# Design: Single-Tenant Simplification + +**Status:** Draft +**Date:** 2026-03-05 + +## Summary + +This design document proposes a set of changes to OLM v1 that re-affirm its single-tenant, cluster-admin-only operational model. Over time, several multi-tenancy concepts have crept into OLM v1's API surface and implementation despite the [explicit decision](../../project/olmv1_design_decisions.md) to not support multi-tenancy. This proposal removes those vestiges, simplifies the user experience, and strengthens the security posture of OLM v1. + +The three themes of this proposal are: + +1. **Re-affirm that multi-tenancy is not supported.** OLM v1 APIs are cluster-admin-only APIs. +2. **Remove multi-tenancy artifacts from the API and implementation.** Deprecate the service account field, remove SingleNamespace/OwnNamespace install mode support, and automate namespace management. +3. **Clarify security expectations in documentation.** Cluster-admins must not delegate ClusterExtension or ClusterCatalog creation to non-cluster-admin users. + +## Motivation + +### Service account complexity + +The current `ClusterExtension.spec.serviceAccount` field requires cluster-admins to derive, create, and maintain a purpose-built ServiceAccount with precisely scoped RBAC for every extension they install. This process is documented in the [derive-service-account guide](../../howto/derive-service-account.md), which itself acknowledges the complexity: + +> We understand that manually determining the minimum RBAC required for installation/upgrade of a `ClusterExtension` is quite complex and protracted. + +This design exists because OLM v1 was originally designed to not run as cluster-admin itself. The intent was to prevent OLM from becoming a privilege escalation vector — a real problem in OLM v0 where any user who could create a Subscription effectively had cluster-admin access. + +However, the ServiceAccount-per-extension model has proven to be a poor fit for a system that only cluster-admins should interact with: + +- **It solves the wrong problem.** The privilege escalation risk in OLM v0 existed because non-cluster-admins could trigger installations. If only cluster-admins can create ClusterExtensions (which is already a requirement), the risk is eliminated regardless of which service account performs the installation. +- **It creates an enormous usability burden.** Cluster-admins must read bundle contents, understand OLM's internal object naming schemes, and iteratively grant permissions. This is the single largest source of friction in OLM v1 adoption. +- **It provides a false sense of scoped security.** The ServiceAccount field may lead cluster-admins to believe they can safely delegate ClusterExtension creation to non-admin users, expecting that the delegated user is constrained to only using ServiceAccounts with a subset of their own permissions. In reality, a ClusterExtension writer can reference any ServiceAccount in any namespace on the cluster. Even if the writer has minimal privileges and cannot create a privileged ServiceAccount on their own, they can trivially reference an existing privileged ServiceAccount — one created by another team for a different extension, or a default SA with elevated permissions — to achieve cluster-admin directly or to trampoline into further escalation. The ServiceAccount field was designed to constrain OLM's power, but it actually hands that power to whoever can write a ClusterExtension. Meanwhile, most extensions require near-cluster-admin level permissions anyway (CRDs, cluster-scoped RBAC, webhooks, etc.), and the recommended workaround for testing is to bind `cluster-admin`. + +### Watch namespace configuration + +The `SingleOwnNamespaceInstallSupport` feature gate (currently GA, default enabled) allows operators to be installed in SingleNamespace or OwnNamespace mode. This feature exists solely for backwards compatibility with OLM v0 bundles, but contradicts the [core design decision](../../project/olmv1_design_decisions.md#watched-namespaces-cannot-be-configured-in-a-first-class-api) that OLM v1 will not configure watched namespaces: + +> Kubernetes APIs are global. Kubernetes is designed with the assumption that a controller WILL reconcile an object no matter where it is in the cluster. + +Supporting SingleNamespace and OwnNamespace modes creates: +- Operational confusion when CRDs (which are cluster-scoped) conflict between installations. +- A false expectation that multiple installations of the same operator are supported. +- Unnecessary complexity in the rendering and validation pipeline. + +### Namespace management + +The current model requires the installation namespace to pre-exist and contain the specified ServiceAccount. This creates unnecessary manual steps and prevents OLM from leveraging CSV-provided namespace metadata (suggested-namespace annotations) that bundle authors have already defined. + +## Benefits + +Beyond simplifying the current user experience, these changes unlock future capabilities that were previously impossible or impractical due to multi-tenancy constraints. + +### Simplified user experience + +- Cluster-admins no longer need to derive, create, and maintain per-extension ServiceAccounts with precisely scoped RBAC. Installing an extension becomes: create a ClusterExtension resource and (optionally) specify a namespace. +- Fewer feature gates and less code to maintain, reducing the surface area for bugs and confusion. +- A clearer, more auditable security boundary: who can create ClusterExtension resources, rather than what each ServiceAccount is allowed to do. +- Alignment with how OLM v1 is already deployed in practice (most users bind cluster-admin to the installer ServiceAccount anyway). + +### Dependency discovery and reporting + +With all operators guaranteed to watch all namespaces, dependency relationships between operators can be cleanly discovered, assessed, and reported. In the current model, an operator installed in SingleNamespace mode may or may not satisfy a dependency depending on which namespace it watches — a fact OLM cannot reliably determine. With AllNamespaces as the only mode, if an API's CRD exists on the cluster and a controller is installed for it, the dependency is satisfied. Period. + +### Improved resolver diagnostics + +In OLM v0, the dependency resolver had to be careful not to leak information in Subscription status messages about operators installed in other namespaces, because that could violate tenant isolation expectations. With multi-tenancy explicitly off the table, a future dependency resolver can provide rich, detailed diagnostic messages when resolution fails — including which installed operators were considered, why they didn't satisfy constraints, and what the user can do to fix the situation — without worrying about cross-namespace information leaks. + +### Cluster-state-aware configuration templating + +In OLM v0, the configuration engine could not plumb arbitrary resource contents into templates because reading resources from other namespaces could leak data across tenant boundaries. With a single-tenant model and cluster-admin permissions, a future configuration templating engine can safely query arbitrary cluster state — infrastructure node counts, available storage classes, cluster version, installed CRDs — and use that information to generate context-aware default configurations for extensions. + +## Proposal + +### 1. Deprecate and ignore `ClusterExtension.spec.serviceAccount` + +**API change:** +- Mark `spec.serviceAccount` as deprecated in the OpenAPI schema. It remains in the API for backwards compatibility but is ignored by the controller. +- The field should eventually be removed in a future API version. + +**Behavior change:** +- operator-controller's own ServiceAccount is granted `cluster-admin` via a ClusterRoleBinding, deployed as part of the operator-controller installation manifests. +- operator-controller uses its own ServiceAccount for all Kubernetes API interactions when managing ClusterExtension resources (creating, updating, deleting managed objects). +- The `PreflightPermissions` feature gate and the preflight permissions checking logic become unnecessary and should be removed. +- The `SyntheticPermissions` feature gate and synthetic user permission model become unnecessary and should be removed. + +**Migration:** +- Existing ClusterExtensions that specify `spec.serviceAccount` continue to function — the field is simply ignored. +- The ServiceAccount, ClusterRole, ClusterRoleBinding, Role, and RoleBinding resources that were created for the installer ServiceAccount can be cleaned up by the cluster-admin at their convenience. OLM will not delete them. + +**Documentation impact:** +- The [derive-service-account guide](../../howto/derive-service-account.md) should be archived/removed. +- The [permission model concept doc](../../concepts/permission-model.md) should be rewritten. +- The [preflight permissions check guide](../howto/rbac-permissions-checking.md) should be archived/removed. +- The [synthetic permissions guide](../howto/use-synthetic-permissions.md) should be archived/removed. +- Tutorials and getting-started guides should be simplified to remove ServiceAccount creation steps. + +### 2. Remove SingleNamespace and OwnNamespace install mode support + +**Behavior change:** +- Remove the `SingleOwnNamespaceInstallSupport` feature gate. +- operator-controller stamps out ALL registry+v1 bundle installations such that they are configured to watch all namespaces, regardless of the `installModes` declared in the CSV. +- The `spec.config.inline.watchNamespace` configuration option is no longer accepted and should cause a validation error. +- If a CSV only declares support for `SingleNamespace` and/or `OwnNamespace` (and not `AllNamespaces`), OLM v1 installs it in AllNamespaces mode anyway. OLM v1 takes the position that watching all namespaces is always correct for a cluster-scoped controller installation. + +**Rationale:** +- This aligns with the [design decision](../../project/olmv1_design_decisions.md#watched-namespaces-cannot-be-configured-in-a-first-class-api) that OLM v1 will not configure watched namespaces. +- Operators that genuinely cannot function when watching all namespaces are rare and would need to be updated by their authors. +- The `installModes` concept is an OLM v0 artifact that will not exist in future bundle format versions. + +**Documentation impact:** +- The [SingleNamespace/OwnNamespace install guide](../howto/single-ownnamespace-install.md) should be archived/removed. +- The [limitations doc](../../project/olmv1_limitations.md) should be updated to remove the note about SingleNamespace/OwnNamespace support. + +### 3. Change `ClusterExtension.spec.namespace` to optional with automatic namespace management + +**API change:** +- `spec.namespace` becomes optional (currently required). +- The immutability constraint on `spec.namespace` is retained. + +**Behavior change — namespace determination:** + +operator-controller determines the installation namespace using the following precedence (highest to lowest): + +1. **`ClusterExtension.spec.namespace`** — If specified by the user, this is the namespace name used. +2. **`operatorframework.io/suggested-namespace` CSV annotation** — If the CSV provides a suggested namespace name, it is used. +3. **`-system` fallback** — If neither of the above is present, operator-controller generates a namespace name from the package name. + +**Behavior change — namespace body/template:** + +- If the CSV contains the `operatorframework.io/suggested-namespace-template` annotation, its value (a full JSON Namespace object) is used as the template for creating the namespace. This allows bundle authors to specify labels, annotations, and other namespace metadata. +- If `spec.namespace` specifies a different name than what appears in the template, the template body is still used but with the name overridden to match `spec.namespace`. +- If no template annotation is present, operator-controller creates a plain namespace with the determined name. + +**Behavior change — namespace lifecycle:** + +- The installation namespace is a **managed object** of the ClusterExtension. It follows the same ownership rules as all other managed objects: + - It is created by operator-controller if it does not exist. + - A pre-existing namespace results in a conflict error, consistent with the [single-owner objects](../../concepts/single-owner-objects.md) design. This ensures that managed resources are not accidentally adopted or clobbered. + - It is deleted when the ClusterExtension is deleted (along with all other managed objects). + +**Migration:** +- Existing ClusterExtensions that specify `spec.namespace` continue to function identically. +- For existing installations where the namespace was manually created before the ClusterExtension, operator-controller should adopt the namespace during the migration period (one-time reconciliation to add ownership metadata). The pre-existence error applies only to new installations going forward. + +### 4. Restrict API access: ClusterExtension and ClusterCatalog are cluster-admin-only + +**No API or behavior changes.** This is a documentation and guidance change. + +**Key points to document:** + +- `ClusterExtension` and `ClusterCatalog` are **cluster-admin-only APIs**. Cluster-admins MUST NOT create RBAC that grants non-cluster-admin users the ability to create, update, or delete these resources. +- **Rationale:** ClusterExtension enables the creation and manipulation of any Kubernetes object on the cluster (CRDs, RBAC, Deployments, webhooks, etc.). Granting a non-cluster-admin user access to create ClusterExtensions is equivalent to granting them cluster-admin, making it a privilege escalation vector. +- **ClusterCatalog** has a similar risk profile: catalogs determine what content is available for installation, and a malicious catalog could provide bundles containing arbitrary cluster-scoped resources. +- This is not a new restriction — it has always been the intent — but it must be stated explicitly and prominently rather than implied. + +**Documentation impact:** +- Add a security considerations section to the main documentation. +- Update the [design decisions doc](../../project/olmv1_design_decisions.md#make-olm-secure-by-default) to clarify that the security model relies on restricting who can create ClusterExtensions, not on restricting what OLM can do once a ClusterExtension is created. +- Add warnings to the API reference documentation for ClusterExtension and ClusterCatalog. + +## Impact on existing features and feature gates + +| Feature / Feature Gate | Current State | Proposed State | +|---|---|---| +| `spec.serviceAccount` | Required field | Deprecated, ignored | +| `PreflightPermissions` | Alpha (default off) | Remove | +| `SyntheticPermissions` | Alpha (default off) | Remove | +| `SingleOwnNamespaceInstallSupport` | GA (default on) | Remove | +| `spec.namespace` | Required field | Optional field | +| `spec.config.inline.watchNamespace` | Accepted config | Validation error | +| operator-controller ClusterRoleBinding | Not cluster-admin | cluster-admin | + +## Security analysis + +### Current model + +- operator-controller runs without cluster-admin. +- Each ClusterExtension specifies a ServiceAccount scoped to the minimum permissions needed. +- In practice, most ServiceAccounts are bound to cluster-admin because deriving minimal RBAC is impractical. +- The security boundary is: "What can this ServiceAccount do?" + +### Proposed model + +- operator-controller runs as cluster-admin. +- The security boundary shifts to: "Who can create ClusterExtension and ClusterCatalog resources?" +- This is a simpler, more auditable, and more correct security boundary: + - It is binary: either you can create these resources or you cannot. + - It aligns with how Kubernetes RBAC is designed to work. + - It does not rely on cluster-admins correctly deriving complex RBAC for every extension. + - It matches the reality of how OLM v1 is already deployed in most environments. + +### Risk: compromise of operator-controller + +With cluster-admin, a compromised operator-controller pod is a more severe risk. Mitigations: + +- operator-controller already has significant privileges in practice (most deployments use cluster-admin ServiceAccounts). +- operator-controller is a trusted cluster component, deployed by the cluster provider/administrator. +- Standard Kubernetes security practices apply: network policies, pod security, image provenance, etc. +- This is the same trust model as kube-controller-manager, kube-scheduler, and other core control plane components. + +## Rollout + +This proposal involves breaking changes and should be rolled out in two phases: + +1. **Phase 1 — Behavior change:** operator-controller is granted cluster-admin and begins using its own ServiceAccount for all API interactions. `spec.serviceAccount` is marked deprecated and ignored. `spec.namespace` becomes optional with automatic namespace management. SingleNamespace/OwnNamespace support is removed. The `PreflightPermissions`, `SyntheticPermissions`, and `SingleOwnNamespaceInstallSupport` feature gates and their associated code are removed. Documentation is updated to reflect all changes. + + No existing ClusterExtension installations will break — operator-controller's cluster-admin ServiceAccount is a strict superset of any permissions that a user-configured ServiceAccount would have had. The only impact is on security-conscious users who relied on the limited permissions of the configured ServiceAccount to constrain what OLM could do on behalf of a given ClusterExtension. For those users, the security boundary shifts from per-extension ServiceAccount RBAC to controlling who can create ClusterExtension resources. + +2. **Phase 2 — API cleanup:** Remove `spec.serviceAccount` from the API in a future API version. + +## Alternatives considered + +### Keep ServiceAccount but automate its creation + +An alternative would be to keep the ServiceAccount model but have operator-controller or a CLI tool automatically create and maintain the ServiceAccount with the correct RBAC. + +**Rejected because:** This adds complexity to solve a problem that doesn't need to exist. If only cluster-admins create ClusterExtensions, the ServiceAccount is just an unnecessary indirection. Auto-generating it means operator-controller needs the permissions to create RBAC anyway, which is effectively cluster-admin. + +### Allow AllNamespaces + SingleNamespace as a user choice + +An alternative would be to continue allowing the user to choose between AllNamespaces and SingleNamespace modes. + +**Rejected because:** This contradicts the core design principle that APIs are global in Kubernetes. It creates a false sense of isolation and introduces complexity for a use case (multi-tenancy) that OLM v1 explicitly does not support. + +### Make ClusterExtension namespace-scoped to enable delegation + +An alternative would be to create a namespace-scoped `Extension` API that could be safely delegated to non-cluster-admins. + +**Rejected because:** The content installed by an extension (CRDs, cluster RBAC, webhooks) is inherently cluster-scoped. A namespace-scoped API would either need to be severely restricted in what it can install (making it useless for most operators) or would still be a privilege escalation vector. + +## Work items + +| # | Work item | Depends on | +|---|-----------|-----------| +| [01](single-tenant-simplification/01-cluster-admin.md) | Grant operator-controller cluster-admin | — | +| [02](single-tenant-simplification/02-deprecate-service-account.md) | Deprecate and ignore spec.serviceAccount | 01 | +| [03](single-tenant-simplification/03-remove-preflight-permissions.md) | Remove PreflightPermissions feature gate and code | — | +| [04](single-tenant-simplification/04-remove-synthetic-permissions.md) | Remove SyntheticPermissions feature gate and code | — | +| [05](single-tenant-simplification/05-remove-single-own-namespace.md) | Remove SingleNamespace/OwnNamespace install mode support | — | +| [06](single-tenant-simplification/06-optional-namespace.md) | Make spec.namespace optional with automatic namespace management | 02 | +| [07](single-tenant-simplification/07-simplify-contentmanager.md) | Simplify contentmanager to a single set of informers | 02 | +| [09](single-tenant-simplification/09-documentation.md) | Documentation updates | all | diff --git a/docs/draft/project/single-tenant-simplification/01-cluster-admin.md b/docs/draft/project/single-tenant-simplification/01-cluster-admin.md new file mode 100644 index 0000000000..330fb64291 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/01-cluster-admin.md @@ -0,0 +1,55 @@ +# Work Item: Grant operator-controller cluster-admin + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** Nothing (first work item) + +## Summary + +Grant operator-controller's ServiceAccount `cluster-admin` privileges via its Helm-managed ClusterRoleBinding. This is a prerequisite for all other simplification work items: once operator-controller has cluster-admin, per-extension service account scoping becomes unnecessary. + +## Current RBAC architecture + +The Helm chart defines RBAC in `helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml`. The ClusterRole is structured in two tiers, conditional on the `BoxcutterRuntime` feature gate: + +### When BoxcutterRuntime is NOT enabled (line 1) + +The entire ClusterRole is gated behind `{{- if and .Values.options.operatorController.enabled (not (has "BoxcutterRuntime" .Values.operatorConrollerFeatures)) }}`. It grants: + +- `serviceaccounts/token` create and `serviceaccounts` get — for per-CE SA impersonation +- `customresourcedefinitions` get +- `clustercatalogs` get/list/watch +- `clusterextensions` get/list/patch/update/watch, plus finalizers and status updates +- `clusterrolebindings`, `clusterroles`, `rolebindings`, `roles` list/watch — for `PreflightPermissions` RBAC validation +- OpenShift SCC `use` (conditional on `.Values.options.openshift.enabled`) + +### When BoxcutterRuntime IS enabled (lines 81-113) + +Additional rules are appended within the same ClusterRole: + +- `*/*` list/watch — broad permissions needed for the Boxcutter tracking cache +- `clusterextensionrevisions` full CRUD, status, and finalizers + +### When BoxcutterRuntime is enabled but the outer guard is false + +If BoxcutterRuntime is in `.Values.operatorConrollerFeatures`, the outer guard on line 1 is false, so the entire ClusterRole (including the Boxcutter-specific rules) is not rendered. This suggests the Boxcutter path uses a different RBAC mechanism or that there is a separate ClusterRole for that case. + +## Proposed changes + +### Helm RBAC + +- Replace the conditionally-scoped ClusterRole with a `cluster-admin` ClusterRoleBinding (binding operator-controller's ServiceAccount to the built-in `cluster-admin` ClusterRole). +- Remove the conditional RBAC templating based on `BoxcutterRuntime`. With cluster-admin, the feature-gate-conditional rules are all subsumed. +- Remove the `serviceaccounts/token` create and `serviceaccounts` get rules (no longer needed since operator-controller uses its own identity). +- Remove the RBAC list/watch rules that existed for `PreflightPermissions` validation. +- The OpenShift SCC `use` permission is also subsumed by cluster-admin. + +### Key files + +- `helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml` — Replace with cluster-admin ClusterRoleBinding +- Any other Helm RBAC templates that may need updating + +## Notes + +- There is a typo in the Helm template: `.Values.operatorConrollerFeatures` (missing "t" in "Controller"). This can be fixed as part of this work or separately. +- The cluster-admin grant is intentionally broad. The security boundary shifts from "what can operator-controller do" to "who can create ClusterExtension/ClusterCatalog resources." See the [security analysis](../single-tenant-simplification.md#security-analysis) in the design doc. diff --git a/docs/draft/project/single-tenant-simplification/02-deprecate-service-account.md b/docs/draft/project/single-tenant-simplification/02-deprecate-service-account.md new file mode 100644 index 0000000000..87a657f0b9 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/02-deprecate-service-account.md @@ -0,0 +1,57 @@ +# Work Item: Deprecate and ignore spec.serviceAccount + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** [01-cluster-admin](01-cluster-admin.md) + +## Summary + +Mark `ClusterExtension.spec.serviceAccount` as deprecated in the OpenAPI schema and make the controller ignore it. operator-controller uses its own ServiceAccount for all Kubernetes API interactions when managing ClusterExtension resources. + +## Scope + +- Mark `spec.serviceAccount` as deprecated in the CRD/OpenAPI schema. +- Modify the controller to stop reading `spec.serviceAccount` and instead use operator-controller's own identity for all API calls. +- The `RestConfigMapper` / `clientRestConfigMapper` plumbing in `cmd/operator-controller/main.go` that creates per-CE service account-scoped clients becomes unnecessary. The Helm `ActionConfigGetter` should use operator-controller's own config. +- The field remains in the API for backward compatibility but is ignored. + +## Helm applier + +- The `RestConfigMapper` / `clientRestConfigMapper` plumbing in `cmd/operator-controller/main.go` that creates per-CE service account-scoped clients becomes unnecessary. The Helm `ActionConfigGetter` should use operator-controller's own config. + +## Boxcutter applier + +The Boxcutter applier reads `spec.serviceAccount` and propagates it through the revision lifecycle: + +- `applier/boxcutter.go:208-209` — `buildClusterExtensionRevision` writes `ServiceAccountNameKey` and `ServiceAccountNamespaceKey` annotations on `ClusterExtensionRevision` objects, sourced from `ext.Spec.ServiceAccount.Name` and `ext.Spec.Namespace`. +- `controllers/revision_engine_factory.go:82-98` — `getServiceAccount` reads those annotations back from the CER. +- `controllers/revision_engine_factory.go:101-122` — `createScopedClient` creates an anonymous REST config wrapped with `TokenInjectingRoundTripper` to impersonate the SA. +- `controllers/revision_engine_factory.go:57-80` — `CreateRevisionEngine` passes the scoped client into the boxcutter `machinery.NewObjectEngine` and `machinery.NewRevisionEngine`. + +With single-tenant simplification: + +- Stop writing SA annotations on CERs. +- `RevisionEngineFactory` uses operator-controller's own client directly instead of creating per-CER scoped clients. The factory struct fields `BaseConfig` and `TokenGetter` become unnecessary. +- Remove `getServiceAccount` and `createScopedClient` from the factory. +- Remove the `internal/operator-controller/authentication/` package (`TokenGetter` and `TokenInjectingRoundTripper`), which is only used for SA impersonation. +- Remove `ServiceAccountNameKey` / `ServiceAccountNamespaceKey` label constants. + +Note: The Boxcutter `TrackingCache` (informers) is already shared across all CERs — no informer consolidation is needed. The per-CER isolation was only at the client level for SA scoping. + +## Key files + +- `api/v1/clusterextension_types.go` — Mark field deprecated +- `cmd/operator-controller/main.go:697-708` — `clientRestConfigMapper` and Helm `ActionConfigGetter` setup +- `internal/operator-controller/authentication/` — `TokenGetter` / `TokenInjectingRoundTripper` (remove entirely) +- `internal/operator-controller/applier/boxcutter.go:208-209` — SA annotations written on CERs +- `internal/operator-controller/controllers/revision_engine_factory.go` — Per-CER scoped client creation +- `internal/operator-controller/labels/labels.go:29-41` — `ServiceAccountNameKey` / `ServiceAccountNamespaceKey` constants + +## Migration + +- Existing ClusterExtensions that specify `spec.serviceAccount` continue to function; the field is simply ignored. +- Cluster-admins can clean up the ServiceAccount, ClusterRole, ClusterRoleBinding, Role, and RoleBinding resources they previously created at their convenience. + +## Notes + +- Full removal of `spec.serviceAccount` from the API happens in a future API version (Phase 2 in the design doc). diff --git a/docs/draft/project/single-tenant-simplification/03-remove-preflight-permissions.md b/docs/draft/project/single-tenant-simplification/03-remove-preflight-permissions.md new file mode 100644 index 0000000000..a4b0022350 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/03-remove-preflight-permissions.md @@ -0,0 +1,59 @@ +# Work Item: Remove PreflightPermissions feature gate and code + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** Nothing (independent) + +## Summary + +Remove the `PreflightPermissions` feature gate (currently Alpha, default off) and all associated RBAC pre-authorization code. This also enables removing the `k8s.io/kubernetes` dependency from `go.mod`, along with 30 `replace` directives that exist solely to align `k8s.io/kubernetes` sub-module versions. + +## Scope + +### Remove feature gate and code + +- Remove the `PreflightPermissions` feature gate definition from `internal/operator-controller/features/features.go:26-30`. +- Remove the `internal/operator-controller/authorization/` package entirely. This package contains the `PreAuthorizer` interface and the RBAC-based implementation that validates user permissions before applying manifests. +- Remove the `PreAuthorizer` field from the Boxcutter applier (`internal/operator-controller/applier/boxcutter.go:421`). +- Remove the conditional `PreAuthorizer` setup in `cmd/operator-controller/main.go:722-725`. +- Remove related tests (`internal/operator-controller/authorization/rbac_test.go`). + +### Remove `k8s.io/kubernetes` dependency + +The `authorization/rbac.go` imports four packages from `k8s.io/kubernetes` (lines 28-32): + +- `k8s.io/kubernetes/pkg/apis/rbac` +- `k8s.io/kubernetes/pkg/apis/rbac/v1` +- `k8s.io/kubernetes/pkg/registry/rbac` +- `k8s.io/kubernetes/pkg/registry/rbac/validation` +- `k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac` + +These are the **only** imports of `k8s.io/kubernetes` in the entire codebase. Removing the authorization package enables: + +- Removing `k8s.io/kubernetes v1.35.0` from `go.mod` (line 46). +- Removing all 30 `replace` directives (lines 260-319) that exist to align `k8s.io/kubernetes` sub-module versions (`k8s.io/api`, `k8s.io/apiextensions-apiserver`, `k8s.io/apimachinery`, `k8s.io/apiserver`, `k8s.io/cli-runtime`, `k8s.io/client-go`, `k8s.io/cloud-provider`, `k8s.io/cluster-bootstrap`, etc.). +- Running `go mod tidy` to clean up any transitive dependencies that were only pulled in by `k8s.io/kubernetes`. + +### Remove k8s-pin tooling + +The `hack/tools/k8smaintainer/` program (invoked via `make k8s-pin`) exists to generate and maintain the `k8s.io/*` `replace` directives in `go.mod`. It reads the `k8s.io/kubernetes` version, enumerates all `k8s.io/*` staging modules in the dependency graph, and pins them to matching versions. The `make verify` target runs `k8s-pin` as a prerequisite. + +With `k8s.io/kubernetes` removed from `go.mod`, this tool has nothing to do — the remaining `k8s.io/*` dependencies (`k8s.io/api`, `k8s.io/client-go`, etc.) are used directly and managed normally by `go mod tidy` without `replace` directives. + +- Remove `hack/tools/k8smaintainer/` (including `main.go` and `README.md`). +- Remove the `k8s-pin` Makefile target and its invocation in the `verify` target (replace with just `tidy`). + +### Remove RBAC list/watch permissions + +With `PreflightPermissions` removed, operator-controller no longer needs the `clusterrolebindings`, `clusterroles`, `rolebindings`, `roles` list/watch permissions in the Helm ClusterRole. These can be removed as part of [01-cluster-admin](01-cluster-admin.md) or this work item. + +## Key files + +- `internal/operator-controller/authorization/rbac.go` — Only consumer of `k8s.io/kubernetes` +- `internal/operator-controller/authorization/rbac_test.go` — Tests +- `internal/operator-controller/features/features.go` — Feature gate definition +- `internal/operator-controller/applier/boxcutter.go` — `PreAuthorizer` field +- `cmd/operator-controller/main.go` — Conditional setup +- `go.mod` — `k8s.io/kubernetes` dependency and replace directives +- `hack/tools/k8smaintainer/` — `k8s-pin` tool that generates replace directives +- `Makefile` — `k8s-pin` target (line 157) and its use in `verify` (line 205) diff --git a/docs/draft/project/single-tenant-simplification/04-remove-synthetic-permissions.md b/docs/draft/project/single-tenant-simplification/04-remove-synthetic-permissions.md new file mode 100644 index 0000000000..6efad17100 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/04-remove-synthetic-permissions.md @@ -0,0 +1,21 @@ +# Work Item: Remove SyntheticPermissions feature gate and code + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** Nothing (independent) + +## Summary + +Remove the `SyntheticPermissions` feature gate (currently Alpha, default off) and all associated synthetic user permission model code. + +## Scope + +- Remove the `SyntheticPermissions` feature gate definition. +- Remove the synthetic user REST config mapper and related code. +- Remove related tests. + +## Key files + +- `internal/operator-controller/features/` - Feature gate definitions +- `cmd/operator-controller/main.go:698-699` - Conditional wrapping with `SyntheticUserRestConfigMapper` +- Any code implementing the synthetic permissions model diff --git a/docs/draft/project/single-tenant-simplification/05-remove-single-own-namespace.md b/docs/draft/project/single-tenant-simplification/05-remove-single-own-namespace.md new file mode 100644 index 0000000000..b1efb7e34d --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/05-remove-single-own-namespace.md @@ -0,0 +1,40 @@ +# Work Item: Remove SingleNamespace/OwnNamespace install mode support + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** Nothing (independent) + +## Summary + +Remove the `SingleOwnNamespaceInstallSupport` feature gate (currently GA, default on) and all associated code. Operators are always installed in AllNamespaces mode. The `watchNamespace` configuration option is removed from the bundle config schema. + +## Scope + +### Remove feature gate + +- Remove the `SingleOwnNamespaceInstallSupport` feature gate definition from `internal/operator-controller/features/features.go:35-39`. +- Remove all references to `IsSingleOwnNamespaceEnabled` / `SingleOwnNamespaceInstallSupport` throughout the codebase. + +### Remove watchNamespace from the config schema + +- Remove the `watchNamespace` property from the bundle config JSON schema (`internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json`). +- Remove `GetWatchNamespace()` from `internal/operator-controller/config/config.go:88-106`. +- Remove the conditional block in `internal/operator-controller/applier/provider.go:73-79` that extracts `watchNamespace` and passes it to the renderer via `render.WithTargetNamespaces()`. +- Remove related tests in `internal/operator-controller/config/config_test.go` and `internal/operator-controller/applier/provider_test.go`. + +With `watchNamespace` removed from the schema, any ClusterExtension that specifies `spec.config.inline.watchNamespace` will fail schema validation automatically — no explicit validation error needs to be added. + +### Update install mode handling + +- If a CSV only declares support for `SingleNamespace` and/or `OwnNamespace` (and not `AllNamespaces`), OLM v1 installs it in AllNamespaces mode anyway. OLM v1 takes the position that watching all namespaces is always correct for a cluster-scoped controller installation. +- Remove the `render.WithTargetNamespaces()` option and related rendering logic that generates namespace-scoped configurations. + +## Key files + +- `internal/operator-controller/features/features.go` — Feature gate definition +- `internal/operator-controller/config/config.go` — `GetWatchNamespace()` method +- `internal/operator-controller/applier/provider.go` — Conditional `IsSingleOwnNamespaceEnabled` block +- `internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json` — Bundle config schema +- `internal/operator-controller/rukpak/bundle/registryv1.go` — Bundle config schema handling +- `hack/tools/schema-generator/main.go` — Schema generator +- `docs/draft/howto/single-ownnamespace-install.md` — To be archived/removed (see [09-documentation](09-documentation.md)) diff --git a/docs/draft/project/single-tenant-simplification/06-optional-namespace.md b/docs/draft/project/single-tenant-simplification/06-optional-namespace.md new file mode 100644 index 0000000000..512ff91bc7 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/06-optional-namespace.md @@ -0,0 +1,68 @@ +# Work Item: Make spec.namespace optional with automatic namespace management + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** [02-deprecate-service-account](02-deprecate-service-account.md) + +## Summary + +Change `ClusterExtension.spec.namespace` from required to optional. When not specified, operator-controller determines the installation namespace automatically using CSV annotations or a fallback convention. The installation namespace becomes a managed object of the ClusterExtension. + +## Namespace determination precedence + +operator-controller determines the installation namespace using the following precedence (highest to lowest): + +1. **`ClusterExtension.spec.namespace`** — If specified by the user, this is the namespace name used. +2. **`operatorframework.io/suggested-namespace` CSV annotation** — If the CSV provides a suggested namespace name, it is used. +3. **`operatorframework.io/suggested-namespace-template` CSV annotation** — If the CSV provides a namespace template (a full JSON Namespace object), its `metadata.name` is used. +4. **`-system` fallback** — If none of the above are present, operator-controller generates a namespace name from the package name. If `-system` exceeds the maximum namespace name length, `` is used instead. + +## Namespace body/template + +- If the CSV contains the `operatorframework.io/suggested-namespace-template` annotation, its value (a full JSON Namespace object) is used as the template for creating the namespace. This allows bundle authors to specify labels, annotations, and other namespace metadata. +- If `spec.namespace` or `suggested-namespace` specifies a different name than what appears in the template, the template body is still used but with the name overridden. +- If no template annotation is present, operator-controller creates a plain namespace with the determined name. + +### Behavior when both annotations are present + +When a CSV defines both `operatorframework.io/suggested-namespace` and `operatorframework.io/suggested-namespace-template`: + +- The **name** comes from `suggested-namespace` (unless overridden by `spec.namespace`). +- The **body** (labels, annotations, other metadata) comes from `suggested-namespace-template`. +- If the template's `metadata.name` differs from the name determined by `suggested-namespace`, the template's name is overridden. + +In other words, `suggested-namespace` controls naming and `suggested-namespace-template` controls the namespace shape. When both are present, the name from `suggested-namespace` takes precedence over any name embedded in the template. + +## Namespace lifecycle + +- The installation namespace is a **managed object** of the ClusterExtension. It follows the same ownership rules as all other managed objects: + - It is created by operator-controller if it does not exist. + - A pre-existing namespace results in a conflict error, consistent with the [single-owner objects](../../concepts/single-owner-objects.md) design. + - It is deleted when the ClusterExtension is deleted (along with all other managed objects). +- The immutability constraint on `spec.namespace` is retained — once set (explicitly or by auto-determination), the namespace cannot be changed. + +## Migration + +- Existing ClusterExtensions that specify `spec.namespace` continue to function identically. +- For existing installations where the namespace was manually created before the ClusterExtension, operator-controller should adopt the namespace during the migration period (one-time reconciliation to add ownership metadata). The pre-existence error applies only to new installations going forward. + +## Scope + +### API changes + +- Mark `spec.namespace` as optional in `api/v1/clusterextension_types.go` (remove the `required` validation or make the field a pointer). +- Update CRD/OpenAPI schema generation. + +### Controller changes + +- Add namespace determination logic implementing the precedence rules above. +- Add namespace creation/management as a reconciliation step (likely a new `ReconcileStepFunc` in `internal/operator-controller/controllers/clusterextension_reconcile_steps.go`). +- Read `operatorframework.io/suggested-namespace` and `operatorframework.io/suggested-namespace-template` from the resolved CSV. +- Handle the migration path: adopt pre-existing namespaces for existing installations. + +### Key files + +- `api/v1/clusterextension_types.go` — Make `Namespace` optional +- `internal/operator-controller/controllers/clusterextension_reconcile_steps.go` — New namespace management step +- `internal/operator-controller/controllers/clusterextension_controller.go` — Integration +- CSV annotation reading (location TBD based on where bundle metadata is accessed) diff --git a/docs/draft/project/single-tenant-simplification/07-simplify-contentmanager.md b/docs/draft/project/single-tenant-simplification/07-simplify-contentmanager.md new file mode 100644 index 0000000000..8e863bcb74 --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/07-simplify-contentmanager.md @@ -0,0 +1,44 @@ +# Work Item: Simplify contentmanager to a single set of informers + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** [02-deprecate-service-account](02-deprecate-service-account.md) + +## Summary + +The contentmanager currently creates a separate `DynamicSharedInformerFactory`, dynamic client, and set of informers for each ClusterExtension. This per-CE isolation exists for two reasons: + +1. **Per-CE service account credentials** - Each CE's informers use a REST config scoped to that CE's service account (via `RestConfigMapper`). +2. **Per-CE label selector** - Each factory filters with `OwnerKind=ClusterExtension, OwnerName=`. + +With single-tenant simplification, reason (1) disappears entirely: operator-controller uses its own identity for everything. This means a single dynamic client and a single set of informers can serve all ClusterExtensions, using a broader label selector that matches all operator-controller-managed objects (e.g., `OwnerKind=ClusterExtension` without filtering by name). + +## Current architecture + +- `contentmanager.go:40` - `caches map[string]cmcache.Cache` maps CE name to a per-CE cache +- `contentmanager.go:99` - `i.rcm(ctx, ce, i.baseCfg)` creates a per-CE REST config via the service account mapper +- `contentmanager.go:104` - Creates a per-CE `dynamic.Client` from that config +- `contentmanager.go:109-122` - Each factory uses label selector `OwnerKind=ClusterExtension, OwnerName=` +- `contentmanager.go:119-123` - A new `DynamicSharedInformerFactory` is created per CE (and per-GVK within a CE) +- `cache/cache.go:51-57` - Each cache tracks `map[GVK]CloserSyncingSource` per CE + +## Proposed simplification + +- Remove the `RestConfigMapper` and per-CE client creation. +- Use a single dynamic client with operator-controller's own credentials. +- Use a single `DynamicSharedInformerFactory` (or a single set of informers) with a label selector matching all managed objects: `OwnerKind=ClusterExtension`. +- The `Manager` interface simplifies: no longer needs `Get(ctx, *ClusterExtension)` keyed by CE. Instead, a single cache watches all managed GVKs. +- Event routing to the correct ClusterExtension reconciliation is already handled by the `EnqueueRequestForOwner` handler in the sourcerer (`sourcerer.go:42`), which reads owner references from the objects. + +## Key files + +- `internal/operator-controller/contentmanager/contentmanager.go` - Manager with per-CE cache map +- `internal/operator-controller/contentmanager/cache/cache.go` - Per-CE cache with GVK-to-source map +- `internal/operator-controller/contentmanager/sourcerer.go` - Creates sources with per-CE label selectors and schemes +- `internal/operator-controller/contentmanager/source/dynamicsource.go` - Dynamic informer source +- `internal/operator-controller/applier/helm.go:69` - Helm applier's `Manager` field +- `cmd/operator-controller/main.go:727` - ContentManager creation with `clientRestConfigMapper` + +## Notes + +- This work item only applies if the Helm applier path is still in use. If the Boxcutter runtime fully replaces Helm before this work begins, the contentmanager can simply be deleted instead of simplified (Boxcutter does not use contentmanager at all; see `main.go:588-593`). diff --git a/docs/draft/project/single-tenant-simplification/09-documentation.md b/docs/draft/project/single-tenant-simplification/09-documentation.md new file mode 100644 index 0000000000..62f088bc9e --- /dev/null +++ b/docs/draft/project/single-tenant-simplification/09-documentation.md @@ -0,0 +1,32 @@ +# Work Item: Documentation updates + +**Parent:** [Single-Tenant Simplification](../single-tenant-simplification.md) +**Status:** Not started +**Depends on:** All other work items + +## Summary + +Update documentation to reflect the single-tenant simplification changes. Archive obsolete guides, rewrite affected concept docs, and add explicit security guidance. + +## Scope + +### Archive / remove +- `docs/howto/derive-service-account.md` - No longer needed +- `docs/draft/howto/rbac-permissions-checking.md` - PreflightPermissions removed +- `docs/draft/howto/use-synthetic-permissions.md` - SyntheticPermissions removed +- `docs/draft/howto/single-ownnamespace-install.md` - SingleNamespace/OwnNamespace removed + +### Rewrite +- `docs/concepts/permission-model.md` - Rewrite to describe the new model: operator-controller runs as cluster-admin, security boundary is who can create ClusterExtension/ClusterCatalog resources. +- Tutorials and getting-started guides - Remove ServiceAccount creation steps from installation workflows. + +### New content +- Add a security considerations section to the main documentation: + - ClusterExtension and ClusterCatalog are cluster-admin-only APIs. + - Cluster-admins must not create RBAC granting non-admin users create/update/delete on these resources. + - Rationale: creating a ClusterExtension is equivalent to cluster-admin. +- Add warnings to the API reference documentation for ClusterExtension and ClusterCatalog. + +### Update +- `docs/project/olmv1_design_decisions.md` - Clarify that the security model relies on restricting who can create ClusterExtensions, not on restricting what OLM can do. +- `docs/project/olmv1_limitations.md` - Remove the note about SingleNamespace/OwnNamespace support. diff --git a/docs/getting-started/olmv1_getting_started.md b/docs/getting-started/olmv1_getting_started.md index de6f35f147..b0fb43f6c1 100644 --- a/docs/getting-started/olmv1_getting_started.md +++ b/docs/getting-started/olmv1_getting_started.md @@ -57,14 +57,12 @@ kubectl wait --for=condition=Serving=True clustercatalog/operatorhubio --timeout ### Install a Cluster Extension -For simplicity, the following example manifest includes all necessary resources to install the ArgoCD operator. -The manifest includes installation namespace, installer service account and associated minimal set of RBAC permissions -needed for installation, and the ClusterExtension resource, which specifies the name and version of the extension to install. +The following example installs the ArgoCD operator. The sample manifest includes the installation namespace +and the ClusterExtension resource, which specifies the name and version of the extension to install. More information on installing extensions can be found [here](../tutorials/install-extension.md). ```bash -# Apply the sample ClusterExtension. Manifest already includes -# namespace and adequately privileged service account +# Apply the sample ClusterExtension kubectl apply -f https://raw.githubusercontent.com/operator-framework/operator-controller/main/config/samples/olm_v1_clusterextension.yaml ``` @@ -94,20 +92,9 @@ kubectl delete clusterextension/argocd ### Cleanup -Extension installation requires the creation of a namespace, an installer service account, and its RBAC. Once the -extension is uninstalled, these resources can be cleaned up. +Once the extension is uninstalled, the installation namespace can be cleaned up. ```bash -# Delete namespace, and by extension, the installer service account, Role, and RoleBinding +# Delete the installation namespace kubectl delete namespace argocd ``` - -```bash -# Delete installer service account cluster roles -kubectl delete clusterrole argocd-installer-clusterrole && kubectl delete clusterrole argocd-installer-rbac-clusterrole -``` - -```bash -# Delete installer service account cluster role bindings -kubectl delete clusterrolebinding argocd-installer-binding && kubectl delete clusterrolebinding argocd-installer-rbac-binding -``` diff --git a/docs/howto/derive-service-account.md b/docs/howto/derive-service-account.md index c1c1204da2..7d424ba785 100644 --- a/docs/howto/derive-service-account.md +++ b/docs/howto/derive-service-account.md @@ -1,357 +1,9 @@ # Derive minimal ServiceAccount required for ClusterExtension Installation and Management -OLM v1 does not have permission to install extensions on a cluster by default. In order to install a [supported bundle](../project/olmv1_limitations.md), -OLM must be provided a ServiceAccount configured with the appropriate permissions. +!!! note "No longer applicable" + This guide is no longer relevant. Starting with the single-tenant simplification changes, + operator-controller runs with its own `cluster-admin` ServiceAccount and manages all extension + lifecycle operations directly. Users no longer need to create or configure installer ServiceAccounts. -This document serves as a guide for how to derive the RBAC necessary to install a bundle. - -## Required RBAC - -The required permissions for the installation and management of a cluster extension can be determined by examining the contents of its bundle image. -This bundle image contains all the manifests that make up the extension (e.g. `CustomResourceDefinition`s, `Service`s, `Secret`s, `ConfigMap`s, `Deployment`s etc.) -as well as a [`ClusterServiceVersion`](https://olm.operatorframework.io/docs/concepts/crds/clusterserviceversion/) (CSV) that describes the extension and its service account's permission requirements. - -The service account must have permissions to: - - - create and manage the extension's `CustomResourceDefinition`s - - create and manage the resources packaged in the bundle - - grant the extension controller's service account the permissions it requires for its operation - - create and manage the extension controller's service account - - create and manage the `Role`s, `RoleBinding`s, `ClusterRole`s, and `ClusterRoleBinding`s associated with the extension controller's service account - - create and manage the extension controller's deployment - -Additionally, for clusters that use the [OwnerReferencesPermissionEnforcement](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) admission plug-in, the service account must also have permissions to: - - - update finalizers on the ClusterExtension to be able to set blockOwnerDeletion and ownerReferences - -It is good security practice to follow the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), and scope permissions to specific resource names, wherever possible. -Keep in mind, that it is not possible to scope `create`, `list`, and `watch` permissions to specific resource names. - -Depending on the scope, each permission will need to be added to either a `ClusterRole` or a `Role` and then bound to the service account with a `ClusterRoleBinding` or a `RoleBinding`. - -## Example - -The following example illustrates the process of deriving the minimal RBAC required to install the [ArgoCD Operator](https://operatorhub.io/operator/argocd-operator) [v0.6.0](https://operatorhub.io/operator/argocd-operator/alpha/argocd-operator.v0.6.0) provided by [OperatorHub.io](https://operatorhub.io/). -The final permission set can be found in the [ClusterExtension sample manifest](https://github.com/operator-framework/operator-controller/blob/main/config/samples/olm_v1_clusterextension.yaml) in the [samples](https://github.com/operator-framework/operator-controller/blob/main/config/samples/olm_v1_clusterextension.yaml) directory. - -The bundle includes the following manifests, which can be found [here](https://github.com/argoproj-labs/argocd-operator/tree/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0): - -* `ClusterServiceVersion`: - - [argocd-operator.v0.6.0.clusterserviceversion.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml) -* `CustomResourceDefinition`s: - - [argoproj.io_applicationsets.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_applicationsets.yaml) - - [argoproj.io_applications.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_applications.yaml) - - [argoproj.io_appprojects.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_appprojects.yaml) - - [argoproj.io_argocdexports.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocdexports.yaml) - - [argoproj.io_argocds.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocds.yaml) -* Additional resources: - - [argocd-operator-controller-manager-metrics-service_v1_service.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator-controller-manager-metrics-service_v1_service.yaml) - - [argocd-operator-manager-config_v1_configmap.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator-manager-config_v1_configmap.yaml) - - [argocd-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml) - -The `ClusterServiceVersion` defines a single `Deployment` in `spec.install.deployments` named `argocd-operator-controller-manager` with a `ServiceAccount` of the same name. -It declares the following cluster-scoped permissions in `spec.install.clusterPermissions`, and its namespace-scoped permissions in `spec.install.permissions`. - -### Derive permissions for the installer service account `ClusterRole` - -#### Step 1. RBAC creation and management permissions - -The installer service account must create and manage the `ClusterRole`s and `ClusterRoleBinding`s for the extension controller(s). -Therefore, it must have the following permissions: - -```yaml -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [create, list, watch] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [get, update, patch, delete] - resourceNames: [, ...] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [create, list, watch] -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [get, update, patch, delete] - resourceNames: [, ...] -``` - -!!! note - The `resourceNames` field should be populated with the names of the `ClusterRole`s and `ClusterRoleBinding`s created by OLM v1. - These names are generated with the following format: `.`. Since it is not a trivial task - to generate these names ahead of time, it is recommended to use a wildcard `*` in the `resourceNames` field for the installation. - Then, update the `resourceNames` fields by inspecting the cluster for the generated resource names. For instance, for `ClusterRole`s: - -```terminal -kubectl get clusterroles | grep argocd -``` - -Example output: - -```terminal -argocd-installer-clusterrole 2024-09-30T08:02:09Z -argocd-installer-rbac-clusterrole 2024-09-30T08:02:09Z -argocd-operator-metrics-reader 2024-09-30T08:02:12Z -# The following are the generated ClusterRoles -argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx 2024-09-30T08:02:12Z -argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 2024-09-30T08:02:12Z -``` - -The same can be done for `ClusterRoleBindings`. - -#### Step 2. `CustomResourceDefinition` permissions - -The installer service account must be able to create and manage the `CustomResourceDefinition`s for the extension, as well -as grant the extension controller's service account the permissions it needs to manage its CRDs. - -```yaml -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [create, list, watch] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, update, patch, delete] - # Scoped to the CRDs in the bundle - resourceNames: [applications.argoproj.io, appprojects.argoproj.io, argocds.argoproj.io, argocdexports.argoproj.io, applicationsets.argoproj.io] -``` - -#### Step 3. `OwnerReferencesPermissionEnforcement` permissions - -For clusters that use `OwnerReferencesPermissionEnforcement`, the installer service account must be able to update finalizers on the ClusterExtension to be able to set blockOwnerDeletion and ownerReferences for clusters that use `OwnerReferencesPermissionEnforcement`. -This is only a requirement for clusters that use the [OwnerReferencesPermissionEnforcement](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) admission plug-in. - -```yaml -- apiGroups: [olm.operatorframework.io] - resources: [clusterextensions/finalizers] - verbs: [update] - # Scoped to the name of the ClusterExtension - resourceNames: [argocd-operator.v0.6.0] -``` - -#### Step 4. Bundled cluster-scoped resource permissions - -Permissions must be added for the creation and management of any cluster-scoped resources included in the bundle. -In this example, the ArgoCD bundle contains a `ClusterRole` called `argocd-operator-metrics-reader`. Given that -`ClusterRole` permissions have already been created in [Step 1](#step-1-rbac-creation-and-management-permissions), it -is sufficient to add the `argocd-operator-metrics-reader`resource name to the `resourceName` list of the pre-existing rule: - -```yaml -- apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [get, update, patch, delete] - resourceNames: [, ..., argocd-operator-metrics-reader] -``` - -#### Step 5. Operator permissions declared in the ClusterServiceVersion - -Include all permissions defined in the `.spec.install.permissions` ([reference](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1091)) and `.spec.install.clusterPermissions` ([reference](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L872)) stanzas in the bundle's `ClusterServiceVersion`. -These permissions are required by the extension controller, and therefore the installer service account must be able to grant them. - -!!! note - There may be overlap between the rules defined in each stanza. Overlapping rules needn't be added twice. - -```yaml -# from .spec.install.clusterPermissions -- apiGroups: [""] - resources: ["configmaps", "endpoints", "events", "namespaces", "persistentvolumeclaims", "pods", "secrets", "serviceaccounts", "services", "services/finalizers"] - verbs: ["*"] -- apiGroups: [""] - resources: ["pods", "pods/log"] - verbs: ["get"] -- apiGroups: ["apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["*"] -- apiGroups: ["apps"] - resourceNames: ["argocd-operator"] - resources: ["deployments/finalizers"] - verbs: ["update"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["*"] -- apiGroups: ["argoproj.io"] - resources: ["applications", "appprojects"] - verbs: ["*"] -- apiGroups: ["argoproj.io"] - resources: ["argocdexports", "argocdexports/finalizers", "argocdexports/status"] - verbs: ["*"] -- apiGroups: ["argoproj.io"] - resources: ["argocds", "argocds/finalizers", "argocds/status"] - verbs: ["*"] -- apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers"] - verbs: ["*"] -- apiGroups: ["batch"] - resources: ["cronjobs", "jobs"] - verbs: ["*"] -- apiGroups: ["config.openshift.io"] - resources: ["clusterversions"] - verbs: ["get", "list", "watch"] -- apiGroups: ["monitoring.coreos.com"] - resources: ["prometheuses", "servicemonitors"] - verbs: ["*"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["*"] -- apiGroups: ["oauth.openshift.io"] - resources: ["oauthclients"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings", "clusterroles"] - verbs: ["*"] -- apiGroups: ["route.openshift.io"] - resources: ["routes", "routes/custom-host"] - verbs: ["*"] -- apiGroups: ["template.openshift.io"] - resources: ["templateconfigs", "templateinstances", "templates"] - verbs: ["*"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - -# copied from .spec.install.permissions -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -# overlapping permissions: -# - apiGroups: [""] -# resources: ["configmaps"] -# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -# - apiGroups: [""] -# resources: ["events"] -# verbs: ["create", "patch"] -``` - -### Derive permissions for the installer service account `Role` - -The following steps detail how to define the namespace-scoped permissions needed by the installer service account's `Role`. -The installer service account must create and manage the `RoleBinding`s for the extension controller(s). - -#### Step 1. `Deployment` permissions - -The installer service account must be able to create and manage the `Deployment`s for the extension controller(s). -The `Deployment` name(s) can be found in the `ClusterServiceVersion` resource packed in the bundle under `.spec.install.deployments` ([reference](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1029)). -This example's `ClusterServiceVersion` can be found [here](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml). - -```yaml -- apiGroups: [apps] - resources: [deployments] - verbs: [create] -- apiGroups: [apps] - resources: [deployments] - verbs: [get, list, watch, update, patch, delete] - # scoped to the extension controller deployment name - resourceNames: [argocd-operator-controller-manager] -``` - -#### Step 2: `ServiceAccount` permissions - -The installer service account must be able to create and manage the `ServiceAccount`(s) for the extension controller(s). -The `ServiceAccount` name(s) can be found in deployment template in the `ClusterServiceVersion` resource packed in the bundle under `.spec.install.deployments`. -This example's `ClusterServiceVersion` can be found [here](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml). - -```yaml -- apiGroups: [""] - resources: [serviceaccounts] - verbs: [create, list, watch] -- apiGroups: [""] - resources: [serviceaccounts] - verbs: [get, update, patch, delete] - # scoped to the extension controller's deployment service account - resourceNames: [argocd-operator-controller-manager] -``` - -#### Step 3. Bundled namespace-scoped resource permissions - -The installer service account must also create and manage other namespace-scoped resources included in the bundle. -In this example, the bundle also includes two additional namespace-scoped resources: - - * the [argocd-operator-controller-manager-metrics-service](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator-controller-manager-metrics-service_v1_service.yaml) `Service`, and - * the [argocd-operator-manager-config](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator-manager-config_v1_configmap.yaml) `ConfigMap` - -Therefore, the following permissions must be given to the installer service account: - -```yaml -- apiGroups: [""] - resources: [services] - verbs: [create] -- apiGroups: [""] - resources: [services] - verbs: [get, list, watch, update, patch, delete] - # scoped to the service name - resourceNames: [argocd-operator-controller-manager-metrics-service] -- apiGroups: [""] - resources: [configmaps] - verbs: [create] -- apiGroups: [""] - resources: [configmaps] - verbs: [get, list, watch, update, patch, delete] - # scoped to the configmap name - resourceNames: [argocd-operator-manager-config] -``` - -### Putting it all together - -Once the installer service account required cluster-scoped and namespace-scoped permissions have been collected: - -1. Create the installation namespace -2. Create the installer `ServiceAccount` -3. Create the installer `ClusterRole` -4. Create the `ClusterRoleBinding` between the installer service account and its cluster role -5. Create the installer `Role` -6. Create the `RoleBinding` between the installer service account and its role -7. Create the `ClusterExtension` - -A manifest with the full set of resources can be found [here](https://github.com/operator-framework/operator-controller/blob/main/config/samples/olm_v1_clusterextension.yaml). - -## Alternatives - -We understand that manually determining the minimum RBAC required for installation/upgrade of a `ClusterExtension` quite complex and protracted. -In the near future, OLM v1 will provide tools and automation in order to simplify this process while maintaining our security posture. -For users wishing to test out OLM v1 in a non-production settings, we offer the following alternatives: - -### Give the installer service account admin privileges - -The `cluster-admin` `ClusterRole` can be bound to the installer service account giving it full permissions to the cluster. -While this obviates the need to determine the minimal RBAC required for installation, it is also dangerous. It is highly recommended -that this alternative only be used in test clusters. Never in production. - -Below is an example ClusterRoleBinding using the cluster-admin ClusterRole: - -```terminal -# Create ClusterRole -kubectl apply -f - < spec: namespace: - serviceAccount: - name: source: sourceType: Catalog catalog: @@ -67,11 +50,6 @@ For information on determining the ServiceAccount's permission, please see [Deri : Specifies a name for the namespace in which the bundle of content for the package referenced in the packageName field will be applied. - `serviceAccount_name` - : serviceAccount name is a required reference to a ServiceAccount that exists - in the `namespace_name`. The provided ServiceAccount is used to install and - manage the content for the package specified in the packageName field. - !!! warning Currently, the following limitations affect the installation of extensions: @@ -118,8 +96,6 @@ For information on determining the ServiceAccount's permission, please see [Deri UID: bde55f03-abe2-48af-8c09-28d32df878ad Spec: Namespace: argocd - Service Account: - Name: argocd-installer Source: Catalog: Package Name: argocd-operator diff --git a/docs/tutorials/uninstall-extension.md b/docs/tutorials/uninstall-extension.md index 2345e0edec..119c0dbffd 100644 --- a/docs/tutorials/uninstall-extension.md +++ b/docs/tutorials/uninstall-extension.md @@ -40,4 +40,4 @@ You can uninstall a Kubernetes extension and its associated custom resource defi ### Cleanup -* Remove the extension namespace, and installer service account cluster-scoped RBAC resources (if applicable). +* Remove the extension namespace (if applicable). diff --git a/docs/tutorials/upgrade-extension.md b/docs/tutorials/upgrade-extension.md index b8b2aa5aad..9e1adc8517 100644 --- a/docs/tutorials/upgrade-extension.md +++ b/docs/tutorials/upgrade-extension.md @@ -14,7 +14,6 @@ For information on downgrading an extension, see [Downgrade an Extension](downgr * You have a ClusterExtension installed * The target version is compatible with OLM v1 (see [OLM v1 limitations](../project/olmv1_limitations.md)) * Any changes to the CustomResourceDefinition in the new version meet compatibility requirements (see [CRD upgrade safety](../concepts/crd-upgrade-safety.md)) -* The installer ServiceAccount's RBAC permissions are adequate for the target version (see [Minimal RBAC for Installer Service Account](../howto/derive-service-account.md)) * You are not attempting to upgrade between minor versions with a major version of zero (see [Upgrades within the major version zero](../concepts/upgrade-support.md#upgrades-within-the-major-version-zero)) For more detailed information see [Upgrade Support](../concepts/upgrade-support.md). @@ -33,266 +32,12 @@ saving it to a local file and then running `kubectl apply -f FILENAME`: metadata: name: argocd --- - apiVersion: v1 - kind: ServiceAccount - metadata: - name: argocd-installer - namespace: argocd - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: argocd-installer-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-installer-clusterrole - subjects: - - kind: ServiceAccount - name: argocd-installer - namespace: argocd - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: argocd-installer-clusterrole - rules: - # Allow ClusterExtension to set blockOwnerDeletion ownerReferences - - apiGroups: [olm.operatorframework.io] - resources: [clusterextensions/finalizers] - verbs: [update] - resourceNames: [argocd] - # Manage ArgoCD CRDs - - apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [create, list, watch] - - apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, update, patch, delete] - resourceNames: - - appprojects.argoproj.io - - argocds.argoproj.io - - applications.argoproj.io - - argocdexports.argoproj.io - - applicationsets.argoproj.io - # Manage ArgoCD ClusterRoles and ClusterRoleBindings - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [create, list, watch] - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: [get, update, patch, delete] - resourceNames: - - argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx - - argocd-operator-metrics-reader - - argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [create, list, watch] - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: [get, update, patch, delete] - resourceNames: - - argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx - - argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: argocd-installer-rbac-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-installer-rbac-clusterrole - subjects: - - kind: ServiceAccount - name: argocd-installer - namespace: argocd - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: argocd-installer-rbac-clusterrole - rules: - - apiGroups: [""] - resources: [configmaps] - verbs: ['*'] - - apiGroups: [""] - resources: [endpoints] - verbs: ['*'] - - apiGroups: [""] - resources: [events] - verbs: ['*'] - - apiGroups: [""] - resources: [namespaces] - verbs: ['*'] - - apiGroups: [""] - resources: [persistentvolumeclaims] - verbs: ['*'] - - apiGroups: [""] - resources: [pods] - verbs: ['*', get] - - apiGroups: [""] - resources: [pods/log] - verbs: [get] - - apiGroups: [""] - resources: [secrets] - verbs: ['*'] - - apiGroups: [""] - resources: [serviceaccounts] - verbs: ['*'] - - apiGroups: [""] - resources: [services] - verbs: ['*'] - - apiGroups: [""] - resources: [services/finalizers] - verbs: ['*'] - - apiGroups: [apps] - resources: [daemonsets] - verbs: ['*'] - - apiGroups: [apps] - resources: [deployments] - verbs: ['*'] - - apiGroups: [apps] - resources: [deployments/finalizers] - resourceNames: [argocd-operator] - verbs: [update] - - apiGroups: [apps] - resources: [replicasets] - verbs: ['*'] - - apiGroups: [apps] - resources: [statefulsets] - verbs: ['*'] - - apiGroups: [apps.openshift.io] - resources: [deploymentconfigs] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [applications] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [appprojects] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocdexports] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocdexports/finalizers] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocdexports/status] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocds] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocds/finalizers] - verbs: ['*'] - - apiGroups: [argoproj.io] - resources: [argocds/status] - verbs: ['*'] - - apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - apiGroups: [autoscaling] - resources: [horizontalpodautoscalers] - verbs: ['*'] - - apiGroups: [batch] - resources: [cronjobs] - verbs: ['*'] - - apiGroups: [batch] - resources: [jobs] - verbs: ['*'] - - apiGroups: [config.openshift.io] - resources: [clusterversions] - verbs: [get, list, watch] - - apiGroups: [monitoring.coreos.com] - resources: [prometheuses] - verbs: ['*'] - - apiGroups: [monitoring.coreos.com] - resources: [servicemonitors] - verbs: ['*'] - - apiGroups: [networking.k8s.io] - resources: [ingresses] - verbs: ['*'] - - apiGroups: [rbac.authorization.k8s.io] - resources: ['*'] - verbs: ['*'] - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterrolebindings] - verbs: ['*'] - - apiGroups: [rbac.authorization.k8s.io] - resources: [clusterroles] - verbs: ['*'] - - apiGroups: [route.openshift.io] - resources: [routes] - verbs: ['*'] - - apiGroups: [route.openshift.io] - resources: [routes/custom-host] - verbs: ['*'] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: argocd-installer-role - namespace: argocd - rules: - - apiGroups: [""] - resources: [serviceaccounts] - verbs: [create, list, watch] - - apiGroups: [""] - resources: [serviceaccounts] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager] - - apiGroups: [""] - resources: [configmaps] - verbs: [create, list, watch] - - apiGroups: [""] - resources: [configmaps] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-manager-config] - - apiGroups: [""] - resources: [services] - verbs: [create, list, watch] - - apiGroups: [""] - resources: [services] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager-metrics-service] - - apiGroups: [apps] - resources: [deployments] - verbs: [create, list, watch] - - apiGroups: [apps] - resources: [deployments] - verbs: [get, update, patch, delete] - resourceNames: [argocd-operator-controller-manager] - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: argocd-installer-binding - namespace: argocd - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-installer-role - subjects: - - kind: ServiceAccount - name: argocd-installer - namespace: argocd - --- apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension metadata: name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: @@ -328,8 +73,6 @@ kubectl get clusterextension argocd -o jsonpath-as-json="{.status.install}" name: argocd spec: namespace: argocd - serviceAccount: - name: argocd-installer source: sourceType: Catalog catalog: diff --git a/go.mod b/go.mod index 4c4a0ff479..4f470c2063 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/stretchr/testify v1.11.1 go.podman.io/image/v5 v5.39.1 golang.org/x/exp v0.0.0-20260209203927-2842357ff358 - golang.org/x/mod v0.33.0 + golang.org/x/mod v0.33.0 // indirect golang.org/x/sync v0.19.0 golang.org/x/tools v0.42.0 helm.sh/helm/v3 v3.20.0 @@ -43,7 +43,6 @@ require ( k8s.io/client-go v0.35.0 k8s.io/component-base v0.35.0 k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.35.0 k8s.io/utils v0.0.0-20260108192941-914a6e750570 pkg.package-operator.run/boxcutter v0.10.0 sigs.k8s.io/controller-runtime v0.23.1 @@ -53,10 +52,7 @@ require ( sigs.k8s.io/yaml v1.6.0 ) -require ( - k8s.io/component-helpers v0.35.0 // indirect - k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect -) +require k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect require ( cel.dev/expr v0.25.1 // indirect @@ -244,7 +240,6 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/controller-manager v0.33.2 // indirect k8s.io/kubectl v0.35.0 // indirect oras.land/oras-go/v2 v2.6.0 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect @@ -256,63 +251,3 @@ require ( ) retract v1.5.0 // contains filename with ':' which causes failure creating module zip file - -replace k8s.io/api => k8s.io/api v0.35.0 - -replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.35.0 - -replace k8s.io/apimachinery => k8s.io/apimachinery v0.35.0 - -replace k8s.io/apiserver => k8s.io/apiserver v0.35.0 - -replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.35.0 - -replace k8s.io/client-go => k8s.io/client-go v0.35.0 - -replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.35.0 - -replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.35.0 - -replace k8s.io/code-generator => k8s.io/code-generator v0.35.0 - -replace k8s.io/component-base => k8s.io/component-base v0.35.0 - -replace k8s.io/component-helpers => k8s.io/component-helpers v0.35.0 - -replace k8s.io/controller-manager => k8s.io/controller-manager v0.35.0 - -replace k8s.io/cri-api => k8s.io/cri-api v0.35.0 - -replace k8s.io/cri-client => k8s.io/cri-client v0.35.0 - -replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.35.0 - -replace k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.35.0 - -replace k8s.io/endpointslice => k8s.io/endpointslice v0.35.0 - -replace k8s.io/externaljwt => k8s.io/externaljwt v0.35.0 - -replace k8s.io/kms => k8s.io/kms v0.35.0 - -replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.35.0 - -replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.35.0 - -replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.35.0 - -replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.35.0 - -replace k8s.io/kubectl => k8s.io/kubectl v0.35.0 - -replace k8s.io/kubelet => k8s.io/kubelet v0.35.0 - -replace k8s.io/kubernetes => k8s.io/kubernetes v1.35.0 - -replace k8s.io/metrics => k8s.io/metrics v0.35.0 - -replace k8s.io/mount-utils => k8s.io/mount-utils v0.35.0 - -replace k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.35.0 - -replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.35.0 diff --git a/go.sum b/go.sum index dcd7dfd153..d57548112c 100644 --- a/go.sum +++ b/go.sum @@ -780,18 +780,12 @@ k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE= k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o= k8s.io/component-base v0.35.0 h1:+yBrOhzri2S1BVqyVSvcM3PtPyx5GUxCK2tinZz1G94= k8s.io/component-base v0.35.0/go.mod h1:85SCX4UCa6SCFt6p3IKAPej7jSnF3L8EbfSyMZayJR0= -k8s.io/component-helpers v0.35.0 h1:wcXv7HJRksgVjM4VlXJ1CNFBpyDHruRI99RrBtrJceA= -k8s.io/component-helpers v0.35.0/go.mod h1:ahX0m/LTYmu7fL3W8zYiIwnQ/5gT28Ex4o2pymF63Co= -k8s.io/controller-manager v0.35.0 h1:KteodmfVIRzfZ3RDaxhnHb72rswBxEngvdL9vuZOA9A= -k8s.io/controller-manager v0.35.0/go.mod h1:1bVuPNUG6/dpWpevsJpXioS0E0SJnZ7I/Wqc9Awyzm4= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 h1:HhDfevmPS+OalTjQRKbTHppRIz01AWi8s45TMXStgYY= k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc= k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo= -k8s.io/kubernetes v1.35.0 h1:PUOojD8c8E3csMP5NX+nLLne6SGqZjrYCscptyBfWMY= -k8s.io/kubernetes v1.35.0/go.mod h1:Tzk9Y9W/XUFFFgTUVg+BAowoFe+Pc7koGLuaiLHdcFg= k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= diff --git a/hack/demo/own-namespace-demo-script.sh b/hack/demo/own-namespace-demo-script.sh deleted file mode 100755 index 86b3d28760..0000000000 --- a/hack/demo/own-namespace-demo-script.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -# -# Welcome to the OwnNamespace install mode demo -# -set -e -trap 'echo "Demo ran into error"; trap - SIGTERM && kill -- -$$; exit 1' ERR SIGINT SIGTERM EXIT - -# install standard CRDs -echo "Install standard CRDs..." -kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/standard.yaml" - -# wait for standard CRDs to be available -kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io - -# Ensure controller is healthy -kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager - -# create install namespace -kubectl create ns argocd-system - -# create installer service account -kubectl create serviceaccount -n argocd-system argocd-installer - -# give installer service account admin privileges (not for production environments) -kubectl create clusterrolebinding argocd-installer-crb --clusterrole=cluster-admin --serviceaccount=argocd-system:argocd-installer - -# install cluster extension in own namespace install mode (watch-namespace == install namespace == argocd-system) -cat ${DEMO_RESOURCE_DIR}/own-namespace-demo.yaml - -# apply cluster extension -kubectl apply -f ${DEMO_RESOURCE_DIR}/own-namespace-demo.yaml - -# wait for cluster extension installation to succeed -kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s" - -# check argocd-operator controller deployment pod template olm.targetNamespaces annotation -kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.metadata.annotations.olm\.targetNamespaces}" - -# check for argocd-operator rbac in watch namespace -kubectl get roles,rolebindings -n argocd-system -o name - -# get controller service-account name -kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.spec.serviceAccount}" - -# check service account for role binding is the same as controller service-account -rolebinding=$(kubectl get rolebindings -n argocd-system -o name | grep 'argocd-operator' | head -n 1) -kubectl get -n argocd-system $rolebinding -o jsonpath='{.subjects}' | jq .[0] - -echo "Demo completed successfully!" - -# cleanup resources -echo "Cleaning up demo resources..." -kubectl delete clusterextension argocd-operator --ignore-not-found=true -kubectl delete namespace argocd-system --ignore-not-found=true -kubectl delete clusterrolebinding argocd-installer-crb --ignore-not-found=true - -# wait for operator-controller to become available with standard config -kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager - -echo "Demo cleanup completed!" diff --git a/hack/demo/resources/own-namespace-demo.yaml b/hack/demo/resources/own-namespace-demo.yaml deleted file mode 100644 index b22db7aa04..0000000000 --- a/hack/demo/resources/own-namespace-demo.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: olm.operatorframework.io/v1 -kind: ClusterExtension -metadata: - name: argocd-operator -spec: - namespace: argocd-system - serviceAccount: - name: argocd-installer - source: - sourceType: Catalog - catalog: - packageName: argocd-operator - version: 0.6.0 diff --git a/hack/demo/resources/single-namespace-demo.yaml b/hack/demo/resources/single-namespace-demo.yaml deleted file mode 100644 index 9c1ac17f9f..0000000000 --- a/hack/demo/resources/single-namespace-demo.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: olm.operatorframework.io/v1 -kind: ClusterExtension -metadata: - name: argocd-operator -spec: - namespace: argocd-system - serviceAccount: - name: argocd-installer - config: - configType: Inline - inline: - watchNamespace: argocd - source: - sourceType: Catalog - catalog: - packageName: argocd-operator - version: 0.6.0 diff --git a/hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml b/hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml deleted file mode 100644 index 7eb5a7082b..0000000000 --- a/hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: olm.operatorframework.io/v1 -kind: ClusterExtension -metadata: - name: argocd-operator -spec: - namespace: argocd-system - serviceAccount: - name: "olm.synthetic-user" - source: - sourceType: Catalog - catalog: - packageName: argocd-operator - version: 0.6.0 diff --git a/hack/demo/resources/synthetic-user-perms/cegroup-admin-binding.yaml b/hack/demo/resources/synthetic-user-perms/cegroup-admin-binding.yaml deleted file mode 100644 index d0ab570f7b..0000000000 --- a/hack/demo/resources/synthetic-user-perms/cegroup-admin-binding.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterextensions-group-admin-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: Group - name: "olm:clusterextensions" diff --git a/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml index 19b7eceb08..1f5ccd31ea 100644 --- a/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml +++ b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml @@ -4,8 +4,6 @@ metadata: name: webhook-operator spec: namespace: webhook-operator - serviceAccount: - name: webhook-operator-installer source: catalog: packageName: webhook-operator diff --git a/hack/demo/single-namespace-demo-script.sh b/hack/demo/single-namespace-demo-script.sh deleted file mode 100755 index 885854dd9d..0000000000 --- a/hack/demo/single-namespace-demo-script.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env bash - -# -# Welcome to the SingleNamespace install mode demo -# -set -e -trap 'echo "Demo ran into error"; trap - SIGTERM && kill -- -$$; exit 1' ERR SIGINT SIGTERM EXIT - -# install standard CRDs -echo "Install standard CRDs..." -kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/standard.yaml" - -# wait for standard CRDs to be available -kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io - -# Ensure controller is healthy -kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager - -# create install namespace -kubectl create ns argocd-system - -# create installer service account -kubectl create serviceaccount -n argocd-system argocd-installer - -# give installer service account admin privileges (not for production environments) -kubectl create clusterrolebinding argocd-installer-crb --clusterrole=cluster-admin --serviceaccount=argocd-system:argocd-installer - -# create watch namespace -kubectl create namespace argocd - -# install cluster extension in single namespace install mode (watch namespace != install namespace) -cat ${DEMO_RESOURCE_DIR}/single-namespace-demo.yaml - -# apply cluster extension -kubectl apply -f ${DEMO_RESOURCE_DIR}/single-namespace-demo.yaml - -# wait for cluster extension installation to succeed -kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s" - -# check argocd-operator controller deployment pod template olm.targetNamespaces annotation -kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.metadata.annotations.olm\.targetNamespaces}" - -# check for argocd-operator rbac in watch namespace -kubectl get roles,rolebindings -n argocd -o name - -# get controller service-account name -kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.spec.serviceAccount}" - -# check service account for role binding is the controller deployment service account -rolebinding=$(kubectl get rolebindings -n argocd -o name | grep 'argocd-operator' | head -n 1) -kubectl get -n argocd $rolebinding -o jsonpath='{.subjects}' | jq .[0] - -echo "Demo completed successfully!" - -# cleanup resources -echo "Cleaning up demo resources..." -kubectl delete clusterextension argocd-operator --ignore-not-found=true -kubectl delete namespace argocd-system argocd --ignore-not-found=true -kubectl delete clusterrolebinding argocd-installer-crb --ignore-not-found=true - -# wait for operator-controller to become available with standard config -kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager - -echo "Demo cleanup completed!" diff --git a/hack/demo/synthetic-user-cluster-admin-demo-script.sh b/hack/demo/synthetic-user-cluster-admin-demo-script.sh deleted file mode 100755 index 4790e46e77..0000000000 --- a/hack/demo/synthetic-user-cluster-admin-demo-script.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -# -# Welcome to the SingleNamespace install mode demo -# -trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT - -# enable 'SyntheticPermissions' feature -kubectl kustomize config/overlays/featuregate/synthetic-user-permissions | kubectl apply -f - - -# wait for operator-controller to become available -kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager - -# create install namespace -kubectl create ns argocd-system - -# give cluster extension group cluster admin privileges - all cluster extensions installer users will be cluster admin -bat --style=plain ${DEMO_RESOURCE_DIR}/synthetic-user-perms/cegroup-admin-binding.yaml - -# apply cluster role binding -kubectl apply -f ${DEMO_RESOURCE_DIR}/synthetic-user-perms/cegroup-admin-binding.yaml - -# install cluster extension - for now .spec.serviceAccount = "olm.synthetic-user" -bat --style=plain ${DEMO_RESOURCE_DIR}/synthetic-user-perms/argocd-clusterextension.yaml - -# apply cluster extension -kubectl apply -f ${DEMO_RESOURCE_DIR}/synthetic-user-perms/argocd-clusterextension.yaml - -# wait for cluster extension installation to succeed -kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s" diff --git a/hack/test/pre-upgrade-setup.sh b/hack/test/pre-upgrade-setup.sh index f2dc28761c..1e42d3560e 100755 --- a/hack/test/pre-upgrade-setup.sh +++ b/hack/test/pre-upgrade-setup.sh @@ -32,6 +32,9 @@ spec: pollIntervalMinutes: 1440 EOF +# The ServiceAccount, ClusterRole, and ClusterRoleBinding below are required +# for backward compatibility: this script runs against the OLD version's CRD +# during upgrade tests, which still requires spec.serviceAccount. kubectl apply -f - < Namespace where the extension is installed -e - Name of the extension - -cr - Name of the cluster role - -r - Name of the role - -s - Name of the service account --template - Generate template manifests Default resource name format: * Namespace: -system * Extension name: - * ClusterRole name: -cluster-role - * Role name: -installer-role - * ServiceAccount name: -installer - * ClusterRoleBinding name: -binding - * RoleBinding name: -binding -Use `--template` to generate templated manifests that can be customized before applying to the cluster. +Use `--template` to generate templated manifests that can be customized before applying to the cluster. Template manifests will contain the following template variables: Template Variables: * `${NAMESPACE}` - Namespace where the extension is installed * `${EXTENSION_NAME}` - Name of the extension -* `${CLUSTER_ROLE_NAME}` - Name of the cluster role -* `${ROLE_NAME}` - Name of the role -* `${SERVICE_ACCOUNT_NAME}` - Name of the service account Examples: @@ -165,13 +154,3 @@ Examples: # Generate templated installation manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog generate-manifests install argocd-operator 0.6.0 --template < operatorhubio-catalog.json ``` - - ``` terminal - # Generate RBAC manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog - generate-manifests rbac argocd-operator 0.6.0 < operatorhubio-catalog.json - ``` - - ``` terminal - # Generate templated RBAC manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog - generate-manifests rbac argocd-operator 0.6.0 --template < operatorhubio-catalog.json - ``` diff --git a/hack/tools/catalogs/generate-manifests b/hack/tools/catalogs/generate-manifests index 02c48a7aec..3a1f3fb400 100755 --- a/hack/tools/catalogs/generate-manifests +++ b/hack/tools/catalogs/generate-manifests @@ -7,7 +7,7 @@ set -o pipefail SCRIPT_ROOT=$(dirname "$(realpath "$0")") source "${SCRIPT_ROOT}/lib/unpack.sh" -source "${SCRIPT_ROOT}/lib/collect-rbac.sh" +source "${SCRIPT_ROOT}/lib/manifests.sh" source "${SCRIPT_ROOT}/lib/utils.sh" # Check there is a container runtime (podman, or docker) @@ -23,50 +23,30 @@ usage() { echo "Usage:" echo "" echo "Generate installation manifests" - echo "$0 install [-n namespace] [-e cluster-extension-name] [-cr cluster-role-name] [-r role-name] [-s service-account-name] [--template]" + echo "$0 install [-n namespace] [-e cluster-extension-name] [--template]" echo "" - echo "Generate RBAC manifests" - echo "$0 rbac [-n namespace] [-e cluster-extension-name] [-cr cluster-role-name] [-r role-name] [-s service-account-name] [--template]" - echo "" - echo "Generate installation or RBAC manifests for a registry+v1 package given an FBC catalog in stdin" + echo "Generate installation manifests for a registry+v1 package given an FBC catalog in stdin" echo "" echo "Options:" echo " -n - Namespace where the extension is installed" echo " -e - Name of the extension" - echo " -cr - Name of the cluster role" - echo " -r - Name of the role" - echo " -s - Name of the service account" echo " --template - Generate template manifests" echo "" echo "Template Variables:" echo " * \${NAMESPACE} - Namespace where the extension is installed" echo " * \${EXTENSION_NAME} - Name of the extension" - echo " * \${CLUSTER_ROLE_NAME} - Name of the cluster role" - echo " * \${ROLE_NAME} - Name of the role" - echo " * \${SERVICE_ACCOUNT_NAME} - Name of the service account" echo "" echo "Default Resource Name Format:" echo " * Namespace: -system" echo " * Extension name: " - echo " * ClusterRole name: -cluster-role" - echo " * Role name: -installer-role" - echo " * ServiceAccount name: -installer" - echo " * ClusterRoleBinding name: -binding" - echo " * RoleBinding name: -binding" echo "" echo "Examples:" echo " # Generate installation manifests for the argocd-operator package" echo " $0 install argocd-operator 0.6.0 < operatorhubio-catalog.json" echo "" - echo " # Generate RBAC manifests for the argocd-operator package" - echo " $0 rbac argocd-operator 0.6.0 < operatorhubio-catalog.json" - echo "" echo " # Generate templated installation manifests for the argocd-operator package" echo " $0 install argocd-operator 0.6.0 --template < operatorhubio-catalog.json" echo "" - echo " # Generate templated RBAC manifests for the argocd-operator package" - echo " $0 rbac argocd-operator 0.6.0 --template < operatorhubio-catalog.json" - echo "" echo "WARNING: This script is a stopgap solution until proper tools are available in OLMv1 - it is not guaranteed to work with all packages." } @@ -84,9 +64,6 @@ export PACKAGE_VERSION=$3 # Initialize environment variables with template defaults export NAMESPACE="\${NAMESPACE}" export EXTENSION_NAME="\${EXTENSION_NAME}" -export CLUSTER_ROLE_NAME="\${CLUSTER_ROLE_NAME}" -export ROLE_NAME="\${ROLE_NAME}" -export SERVICE_ACCOUNT_NAME="\${SERVICE_ACCOUNT_NAME}" export DEBUG=false template=false @@ -104,18 +81,6 @@ while [[ $# -gt 0 ]]; do export EXTENSION_NAME="$2" shift 2 ;; - -cr) - export CLUSTER_ROLE_NAME="$2" - shift 2 - ;; - -r) - export ROLE_NAME="$2" - shift 2 - ;; - -s) - export SERVICE_ACCOUNT_NAME="$2" - shift 2 - ;; --template) template=true shift @@ -136,18 +101,12 @@ done if [ "$template" = false ]; then [ "$EXTENSION_NAME" == "\${EXTENSION_NAME}" ] && export EXTENSION_NAME="${PACKAGE_NAME}" [ "$NAMESPACE" == "\${NAMESPACE}" ] && export NAMESPACE="${EXTENSION_NAME}-system" - [ "$SERVICE_ACCOUNT_NAME" == "\${SERVICE_ACCOUNT_NAME}" ] && export SERVICE_ACCOUNT_NAME="${PACKAGE_NAME}-installer" - [ "$CLUSTER_ROLE_NAME" == "\${CLUSTER_ROLE_NAME}" ] && export CLUSTER_ROLE_NAME="${SERVICE_ACCOUNT_NAME}-cluster-role" - [ "$ROLE_NAME" == "\${ROLE_NAME}" ] && export ROLE_NAME="${SERVICE_ACCOUNT_NAME}-installer-role" fi # Output the set environment variables for confirmation debug "Environment variables set:" debug "NAMESPACE=${NAMESPACE}" debug "EXTENSION_NAME=${EXTENSION_NAME}" -debug "CLUSTER_ROLE_NAME=${CLUSTER_ROLE_NAME}" -debug "ROLE_NAME=${ROLE_NAME}" -debug "SERVICE_ACCOUNT_NAME=${SERVICE_ACCOUNT_NAME}" # Find bundle image image="$(cat - | get-bundle-image "${PACKAGE_NAME}" "${PACKAGE_VERSION}")" @@ -155,8 +114,6 @@ image="$(cat - | get-bundle-image "${PACKAGE_NAME}" "${PACKAGE_VERSION}")" # Unpack and close container bundle_manifest_dir="$("${SCRIPT_ROOT}/unpack-bundle" "${image}")" -# Derive rbac from bundle manifests -collect_installer_rbac "${bundle_manifest_dir}" echo "Done" >&2 # Example output or further processing based on command @@ -164,9 +121,6 @@ case "${COMMAND}" in install) generate_install_manifests | envsubst ;; - rbac) - generate_rbac_manifests | envsubst - ;; *) echo "Unknown command ${COMMAND}" usage @@ -179,4 +133,4 @@ if [ "${DEBUG,,}" != "false" ]; then debug "Skipping cleanup of manifest directory: ${bundle_manifest_dir}" else rm -rf "${bundle_manifest_dir}" -fi \ No newline at end of file +fi diff --git a/hack/tools/catalogs/lib/manifests.sh b/hack/tools/catalogs/lib/manifests.sh index 156eea677e..f8482222fc 100644 --- a/hack/tools/catalogs/lib/manifests.sh +++ b/hack/tools/catalogs/lib/manifests.sh @@ -11,77 +11,6 @@ metadata: EOF } -generate_service_account() { - cat <` to update the dependency. - - **Default Behavior:** - If `K8S_IO_K8S_VERSION` is not set, the tool reads the version of `k8s.io/kubernetes` from the `go.mod` file. - -3. **Compute the Target Staging Version:** - - Converts a Kubernetes version in the form `v1.xx.yy` into the staging version format `v0.xx.yy`. - - If the target staging version is unavailable, the tool attempts to fall back to the previous patch version. - -4. **Updating Module Replace Directives:** - - Retrieves the full dependency graph using `go list -m -json all`. - - Identifies relevant `k8s.io/*` modules (skipping the main module and version-suffixed modules). - - Removes outdated `replace` directives (ignoring local path replacements). - - Adds new `replace` directives to pin modules—including `k8s.io/kubernetes`—to the computed staging version. - -5. **Finalizing Changes:** - - Writes the updated `go.mod` file. - - Runs `go mod tidy` to clean up dependencies. - - Executes `go mod download k8s.io/kubernetes` to update `go.sum`. - - Logs any issues, such as modules remaining at an untagged version (`v0.0.0`), which may indicate upstream tagging problems. - -## Environment Variables - -- **K8S_IO_K8S_VERSION (optional):** - When set, this environment variable overrides the Kubernetes version found in `go.mod`. The tool validates this semver string, updates the dependency using `go get`, and processes modules accordingly. - -## Additional Notes - -- The tool ensures consistency across all `k8s.io/*` modules, even if they are not explicitly listed in `go.mod`. -- If a suitable staging version is not found, a warning is logged and the closest valid version is used. -- All operations are logged, which helps in troubleshooting and verifying the process. \ No newline at end of file diff --git a/hack/tools/k8smaintainer/main.go b/hack/tools/k8smaintainer/main.go deleted file mode 100644 index 978c884a61..0000000000 --- a/hack/tools/k8smaintainer/main.go +++ /dev/null @@ -1,410 +0,0 @@ -package main - -import ( - "bytes" - "encoding/json" - "fmt" - "io/fs" - "log" - "os" - "os/exec" - "path/filepath" - "sort" - "strings" - - "github.com/blang/semver/v4" - "golang.org/x/mod/modfile" - "golang.org/x/mod/module" -) - -const ( - k8sRepo = "k8s.io/kubernetes" - expectedMajorMinorParts = 2 - goModFilename = "go.mod" - goModFilePerms = fs.FileMode(0600) - minGoListVersionFields = 2 - minPatchNumberToDecrementFrom = 1 // We can only decrement patch if it's 1 or greater (to get 0 or greater) - k8sVersionEnvVar = "K8S_IO_K8S_VERSION" -) - -//nolint:gochecknoglobals -var goExe = "go" - -// readAndParseGoMod reads and parses the go.mod file. -func readAndParseGoMod(filename string) (*modfile.File, error) { - modBytes, err := os.ReadFile(filename) - if err != nil { - return nil, fmt.Errorf("error reading %s: %w", filename, err) - } - modF, err := modfile.Parse(filename, modBytes, nil) - if err != nil { - return nil, fmt.Errorf("error parsing %s: %w", filename, err) - } - return modF, nil -} - -// getK8sVersionFromEnv processes the version specified via environment variable. -// It validates the version and runs `go get` to update the dependency. -func getK8sVersionFromEnv(targetK8sVer string) (string, error) { - log.Printf("Found target %s version override from env var %s: %s", k8sRepo, k8sVersionEnvVar, targetK8sVer) - if _, err := semver.ParseTolerant(targetK8sVer); err != nil { - return "", fmt.Errorf("invalid semver specified in %s: %s (%w)", k8sVersionEnvVar, targetK8sVer, err) - } - // Update the go.mod file first - log.Printf("Running 'go get %s@%s' to update the main dependency...", k8sRepo, targetK8sVer) - getArgs := fmt.Sprintf("%s@%s", k8sRepo, targetK8sVer) - if _, err := runGoCommand("get", getArgs); err != nil { - return "", fmt.Errorf("error running 'go get %s': %w", getArgs, err) - } - return targetK8sVer, nil // Return the validated version -} - -// getK8sVersionFromMod reads the go.mod file to find the current version of k8s.io/kubernetes. -// It returns the version string if found, or an empty string (and nil error) if not found. -func getK8sVersionFromMod() (string, error) { - modF, err := readAndParseGoMod(goModFilename) - if err != nil { - return "", err // Propagate error from reading/parsing - } - - // Find k8s.io/kubernetes version - for _, req := range modF.Require { - if req.Mod.Path == k8sRepo { - log.Printf("Found existing %s version in %s: %s", k8sRepo, goModFilename, req.Mod.Version) - return req.Mod.Version, nil // Return found version - } - } - // Not found case - return empty string, no error (as per original logic) - log.Printf("INFO: %s not found in %s require block. Nothing to do.", k8sRepo, goModFilename) - return "", nil -} - -func main() { - log.SetFlags(0) - if os.Getenv("GOEXE") != "" { - goExe = os.Getenv("GOEXE") - } - - wd, err := os.Getwd() - if err != nil { - log.Fatalf("Error getting working directory: %v", err) - } - modRoot := findModRoot(wd) - if modRoot == "" { - log.Fatalf("Failed to find %s in %s or parent directories", goModFilename, wd) - } - if err := os.Chdir(modRoot); err != nil { - log.Fatalf("Error changing directory to %s: %v", modRoot, err) - } - log.Printf("Running in module root: %s", modRoot) - - var k8sVer string - - // Determine the target k8s version using helper functions - targetK8sVerEnv := os.Getenv(k8sVersionEnvVar) - if targetK8sVerEnv != "" { - // Process version from environment variable - k8sVer, err = getK8sVersionFromEnv(targetK8sVerEnv) - if err != nil { - log.Fatalf("Failed to process k8s version from environment variable %s: %v", k8sVersionEnvVar, err) - } - } else { - // Process version from go.mod file - k8sVer, err = getK8sVersionFromMod() - if err != nil { - log.Fatalf("Failed to get k8s version from %s: %v", goModFilename, err) - } - // Handle the "not found" case where getK8sVersionFromMod returns "", nil - if k8sVer == "" { - os.Exit(0) // Exit gracefully as requested - } - } - - // Calculate target staging version - k8sSemVer, err := semver.ParseTolerant(k8sVer) - if err != nil { - // This should ideally not happen if validation passed earlier, but check anyway. - log.Fatalf("Invalid semver for %s: %s (%v)", k8sRepo, k8sVer, err) // Adjusted log format slightly - } - - if k8sSemVer.Major != 1 { - log.Fatalf("Expected k8s version %s to have major version 1", k8sVer) - } - targetSemVer := semver.Version{Major: 0, Minor: k8sSemVer.Minor, Patch: k8sSemVer.Patch} - // Prepend 'v' as expected by Go modules and the rest of the script logic - targetStagingVer := "v" + targetSemVer.String() - - // Validate the constructed staging version string - if _, err := semver.ParseTolerant(targetStagingVer); err != nil { - log.Fatalf("Calculated invalid staging semver: %s from k8s version %s (%v)", targetStagingVer, k8sVer, err) // Adjusted log format slightly - } - log.Printf("Target staging version calculated: %s", targetStagingVer) - - // Run `go list -m -json all` - type Module struct { - Path string - Version string - Replace *Module - Main bool - } - log.Println("Running 'go list -m -json all'...") - output, err := runGoCommand("list", "-m", "-json", "all") - if err != nil { - // Try downloading first if list fails - log.Println("'go list' failed, trying 'go mod download'...") - if _, downloadErr := runGoCommand("mod", "download"); downloadErr != nil { - log.Fatalf("Error running 'go mod download' after list failed: %v", downloadErr) - } - output, err = runGoCommand("list", "-m", "-json", "all") - if err != nil { - log.Fatalf("Error running 'go list -m -json all' even after download: %v", err) - } - } - - // Iterate, identify k8s.io/* staging modules, and determine version to pin - pins := make(map[string]string) // Module path -> version to pin - decoder := json.NewDecoder(bytes.NewReader(output)) - for decoder.More() { - var mod Module - if err := decoder.Decode(&mod); err != nil { - log.Fatalf("Error decoding go list output: %v", err) - } - - // Skip main module, non-k8s modules, k8s.io/kubernetes itself, and versioned modules like k8s.io/client-go/v2 - _, pathSuffix, _ := module.SplitPathVersion(mod.Path) // Check if path has a version suffix like /v2, /v3 etc. - if mod.Main || !strings.HasPrefix(mod.Path, "k8s.io/") || mod.Path == k8sRepo || pathSuffix != "" { - continue - } - - // Use replacement path if it exists, but skip local file replacements - effectivePath := mod.Path - if mod.Replace != nil { - // Heuristic: Assume module paths have a domain-like structure (e.g., 'xxx.yyy/zzz') in the first segment. - // Local paths usually don't (e.g., '../othermod', './local'). - parts := strings.SplitN(mod.Replace.Path, "/", 2) - if len(parts) > 0 && !strings.Contains(parts[0], ".") { - log.Printf("Skipping local replace: %s => %s", mod.Path, mod.Replace.Path) - continue - } - effectivePath = mod.Replace.Path - } - - // Check existence of target version, fallback to previous patch if needed - determinedVer, err := getLatestExistingVersion(effectivePath, targetStagingVer) - if err != nil { - log.Printf("WARNING: Error checking versions for %s: %v. Skipping pinning.", effectivePath, err) - continue - } - - if determinedVer == "" { - log.Printf("WARNING: Neither target version %s nor its predecessor found for %s. Skipping pinning.", targetStagingVer, effectivePath) - continue - } - - if determinedVer != targetStagingVer { - log.Printf("INFO: Target version %s not found for %s. Using existing predecessor version %s.", targetStagingVer, effectivePath, determinedVer) - } - - // map the original module path (as seen in the dependency graph) to the desired version for the 'replace' directive - pins[mod.Path] = determinedVer - } - - // Add k8s.io/kubernetes itself to the pins map (ensures it's covered by the replace logic) - pins[k8sRepo] = k8sVer - log.Printf("Identified %d k8s.io/* modules to manage.", len(pins)) - - // Parse go.mod again (needed in case `go list` or `go get` modified it) - modF, err := readAndParseGoMod(goModFilename) - if err != nil { - log.Fatal(err) // Error already formatted by helper function - } - - // Remove all existing k8s.io/* replaces that target other modules (not local paths) - log.Println("Removing existing k8s.io/* module replace directives...") - var replacesToRemove []string - for _, rep := range modF.Replace { - // Only remove replaces targeting k8s.io/* modules (not local replacements like ../staging) - // Check that the old path starts with k8s.io/ and the new path looks like a module path (contains '.') - if strings.HasPrefix(rep.Old.Path, "k8s.io/") && strings.Contains(rep.New.Path, ".") { - replacesToRemove = append(replacesToRemove, rep.Old.Path) - } else if strings.HasPrefix(rep.Old.Path, "k8s.io/") { - log.Printf("Note: Found existing non-module replace for %s, leaving untouched: %s => %s %s", rep.Old.Path, rep.Old.Path, rep.New.Path, rep.New.Version) - } - } - if len(replacesToRemove) > 0 { - for _, path := range replacesToRemove { - log.Printf("Removing replace for: %s", path) - // Drop replace expects oldPath and oldVersion. Version is empty for path-only replaces. - if err := modF.DropReplace(path, ""); err != nil { - // Tolerate errors if the replace was already somehow removed or structure changed - log.Printf("Note: Error dropping replace for %s (might be benign): %v", path, err) - } - } - } else { - log.Println("No existing k8s.io/* module replaces found to remove.") - } - - // Add new replace directives - log.Println("Adding determined replace directives...") - // Sort for deterministic output - sortedPaths := make([]string, 0, len(pins)) - for path := range pins { - sortedPaths = append(sortedPaths, path) - } - sort.Strings(sortedPaths) - - for _, path := range sortedPaths { - version := pins[path] - // Add replace for the module path itself (e.g., k8s.io/api => k8s.io/api v0.32.3) - if err := modF.AddReplace(path, "", path, version); err != nil { - log.Fatalf("Error adding replace for %s => %s %s: %v", path, path, version, err) - } - log.Printf("Adding replace: %s => %s %s", path, path, version) - } - - // Write go.mod - log.Println("Writing updated go.mod...") - modF.Cleanup() // Sort blocks, remove redundant directives etc. - newModBytes, err := modF.Format() - if err != nil { - log.Fatalf("Error formatting go.mod: %v", err) - } - if err := os.WriteFile(goModFilename, newModBytes, goModFilePerms); err != nil { - log.Fatalf("Error writing %s: %v", goModFilename, err) - } - - // Run `go mod tidy` - goVer := "" - if modF.Go != nil { // Ensure Go directive exists before accessing Version - goVer = modF.Go.Version - } - tidyArgs := []string{"mod", "tidy"} - if goVer != "" { - tidyArgs = append(tidyArgs, fmt.Sprintf("-go=%s", goVer)) - } - log.Printf("Running '%s %s'...", goExe, strings.Join(tidyArgs, " ")) - if _, err := runGoCommand(tidyArgs...); err != nil { - log.Fatalf("Error running 'go mod tidy': %v", err) - } - - // Run `go mod download k8s.io/kubernetes` - log.Printf("Running '%s mod download %s'...", goExe, k8sRepo) - if _, err := runGoCommand("mod", "download", k8sRepo); err != nil { - // This might not be fatal, could be network issues, but log it prominently - log.Printf("WARNING: Error running 'go mod download %s': %v", k8sRepo, err) - } - - log.Println("Successfully updated k8s dependencies.") -} - -// findModRoot searches for go.mod in dir and parent directories -func findModRoot(dir string) string { - for { - if _, err := os.Stat(filepath.Join(dir, goModFilename)); err == nil { - return dir - } - parent := filepath.Dir(dir) - if parent == dir { - return "" // Reached root - } - dir = parent - } -} - -// runGoCommand executes a go command and returns its stdout or an error -func runGoCommand(args ...string) ([]byte, error) { - cmd := exec.Command(goExe, args...) - cmd.Env = append(os.Environ(), "GO111MODULE=on") // Ensure module mode - var stdout, stderr bytes.Buffer - cmd.Stdout = &stdout - cmd.Stderr = &stderr - log.Printf("Executing: %s %s", goExe, strings.Join(args, " ")) - if err := cmd.Run(); err != nil { - if stderr.Len() > 0 { - log.Printf("Stderr:\n%s", stderr.String()) - } - return nil, fmt.Errorf("command '%s %s' failed: %w", goExe, strings.Join(args, " "), err) - } - return stdout.Bytes(), nil -} - -// getModuleVersions retrieves the list of available versions for a module -func getModuleVersions(modulePath string) ([]string, error) { - output, err := runGoCommand("list", "-m", "-versions", modulePath) - // Combine output and error message for checking because 'go list' sometimes writes errors to stdout - combinedOutput := string(output) - if err != nil { - if !strings.Contains(combinedOutput, err.Error()) { - combinedOutput += err.Error() - } - } - - // Check if the error/output indicates "no matching versions" - this is not a fatal error for our logic - if strings.Contains(combinedOutput, "no matching versions") || strings.Contains(combinedOutput, "no required module provides package") { - log.Printf("INFO: No versions found for module %s via 'go list'.", modulePath) - return []string{}, nil // Return empty list, not an error - } - // If there was an actual error beyond "no matching versions" - if err != nil { - return nil, fmt.Errorf("error listing versions for %s: %w", modulePath, err) - } - - fields := strings.Fields(string(output)) - if len(fields) < minGoListVersionFields { - log.Printf("INFO: No versions listed for module %s (output: '%s')", modulePath, string(output)) - return []string{}, nil // No versions listed (e.g., just the module path) - } - return fields[1:], nil // First field is the module path -} - -// getLatestExistingVersion checks for targetVer and its predecessor, returning the latest one that exists -func getLatestExistingVersion(modulePath, targetVer string) (string, error) { - availableVersions, err := getModuleVersions(modulePath) - if err != nil { - return "", err - } - - foundTarget := false - for _, v := range availableVersions { - if v == targetVer { - foundTarget = true - break - } - } - - if foundTarget { - return targetVer, nil // Target version exists - } - - // Target not found, try previous patch version - targetSemVer, err := semver.ParseTolerant(targetVer) - if err != nil { - log.Printf("Could not parse target version %s for module %s: %v. Cannot determine predecessor.", targetVer, modulePath, err) - return "", nil // Cannot determine predecessor - } - - // Only try to decrement if the patch number is >= the minimum required to do so - if targetSemVer.Patch < uint64(minPatchNumberToDecrementFrom) { - log.Printf("Patch version %d is less than %d for %s, cannot determine predecessor.", targetSemVer.Patch, minPatchNumberToDecrementFrom, targetVer) - return "", nil // Cannot determine predecessor (e.g., target was v0.32.0) - } - - prevSemVer := targetSemVer - prevSemVer.Patch-- - prevPatchVer := "v" + prevSemVer.String() - - foundPrev := false - for _, v := range availableVersions { - if v == prevPatchVer { - foundPrev = true - break - } - } - - if foundPrev { - return prevPatchVer, nil // Predecessor version exists - } - - // Neither found - return "", nil -} diff --git a/hack/tools/schema-generator/main.go b/hack/tools/schema-generator/main.go index aedea32ebb..bbe28d5a76 100644 --- a/hack/tools/schema-generator/main.go +++ b/hack/tools/schema-generator/main.go @@ -18,7 +18,7 @@ const ( schemaID = "https://operator-framework.io/schemas/registry-v1-bundle-config.json" schemaDraft = "http://json-schema.org/draft-07/schema#" schemaTitle = "Registry+v1 Bundle Configuration" - schemaDescription = "Configuration schema for registry+v1 bundles. Includes watchNamespace for controlling operator scope and deploymentConfig for customizing operator deployment (environment variables, resource scheduling, storage, and pod placement). The deploymentConfig follows the same structure and behavior as OLM v0's SubscriptionConfig. Note: The 'selector' field from v0's SubscriptionConfig is not included as it was never used." + schemaDescription = "Configuration schema for registry+v1 bundles. Includes deploymentConfig for customizing operator deployment (environment variables, resource scheduling, storage, and pod placement). The deploymentConfig follows the same structure and behavior as OLM v0's SubscriptionConfig. Note: The 'selector' field from v0's SubscriptionConfig is not included as it was never used." ) // OpenAPISpec represents the structure of Kubernetes OpenAPI v3 spec @@ -270,15 +270,6 @@ func generateBundleConfigSchema(openAPISpec *OpenAPISpec, fields []FieldInfo) *S collectedSchemas: make(map[string]bool), } - // Add watchNamespace property (base definition - will be modified at runtime) - schema.Properties["watchNamespace"] = &SchemaField{ - Description: "The namespace that the operator should watch for custom resources. The meaning and validation of this field depends on the operator's install modes. This field may be optional or required, and may have format constraints, based on the operator's supported install modes.", - AnyOf: []*SchemaField{ - {Type: "null"}, - {Type: "string"}, - }, - } - // Create deploymentConfig property deploymentConfigProps := make(map[string]*SchemaField) diff --git a/hack/tools/schema-generator/main_test.go b/hack/tools/schema-generator/main_test.go index 41807d3a02..732d816b61 100644 --- a/hack/tools/schema-generator/main_test.go +++ b/hack/tools/schema-generator/main_test.go @@ -149,16 +149,6 @@ func TestGenerateBundleConfigSchema(t *testing.T) { assert.False(t, schema.AdditionalProperties) }) - t.Run("includes watchNamespace property", func(t *testing.T) { - require.Contains(t, schema.Properties, "watchNamespace") - - watchNS := schema.Properties["watchNamespace"] - require.NotNil(t, watchNS) - - assert.NotEmpty(t, watchNS.Description) - assert.Len(t, watchNS.AnyOf, 2, "watchNamespace should have anyOf with null and string") - }) - t.Run("includes deploymentConfig property", func(t *testing.T) { require.Contains(t, schema.Properties, "deploymentConfig") @@ -309,7 +299,6 @@ func TestGeneratedSchemaMatchesActualOutput(t *testing.T) { props, ok := schemaFromFile["properties"].(map[string]interface{}) require.True(t, ok) - assert.Contains(t, props, "watchNamespace") assert.Contains(t, props, "deploymentConfig") // Verify deploymentConfig has expected fields diff --git a/helm/experimental.yaml b/helm/experimental.yaml index e1c7f37cb6..9f379ca14e 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -9,7 +9,6 @@ options: operatorController: features: enabled: - - PreflightPermissions - HelmChartSupport - BoxcutterRuntime - DeploymentConfig diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml index 83631dc27b..3c02f10264 100644 --- a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml @@ -177,11 +177,11 @@ spec: type: integer serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -495,7 +495,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: diff --git a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml index 0b824025eb..da974b88d3 100644 --- a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml @@ -167,11 +167,11 @@ spec: rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -485,7 +485,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: diff --git a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml index 9b942febf8..f218422efe 100644 --- a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml @@ -1,4 +1,4 @@ -{{- if and .Values.options.operatorController.enabled (not (has "BoxcutterRuntime" .Values.operatorConrollerFeatures)) }} +{{- if .Values.options.operatorController.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -9,106 +9,14 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch - {{- if .Values.options.openshift.enabled }} - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - privileged - verbs: - - use - {{- end }} - {{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }} - apiGroups: - "*" resources: - "*" verbs: - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/status - verbs: - - patch - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/finalizers + - "*" + - nonResourceURLs: + - "*" verbs: - - update - {{- end }} + - "*" {{- end }} diff --git a/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml index 5d1beeb57c..802ce650ee 100644 --- a/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -8,11 +8,7 @@ metadata: labels: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" $ | nindent 4 }} -{{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }} - name: operator-controller-manager-admin-rolebinding -{{- else }} name: operator-controller-manager-rolebinding -{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/helm/tilt.yaml b/helm/tilt.yaml index 0fe3bec1f7..2ce914ce60 100644 --- a/helm/tilt.yaml +++ b/helm/tilt.yaml @@ -14,7 +14,6 @@ options: operatorController: features: enabled: - - PreflightPermissions - HelmChartSupport disabled: - WebhookProviderOpenshiftServiceCA diff --git a/internal/operator-controller/action/restconfig.go b/internal/operator-controller/action/restconfig.go deleted file mode 100644 index 05e25f707d..0000000000 --- a/internal/operator-controller/action/restconfig.go +++ /dev/null @@ -1,74 +0,0 @@ -package action - -import ( - "context" - "fmt" - "net/http" - - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/rest" - "k8s.io/client-go/transport" - "sigs.k8s.io/controller-runtime/pkg/client" - - ocv1 "github.com/operator-framework/operator-controller/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/authentication" -) - -const syntheticServiceAccountName = "olm.synthetic-user" - -// SyntheticUserRestConfigMapper returns an AuthConfigMapper that that impersonates synthetic users and groups for Object o. -// o is expected to be a ClusterExtension. If the service account defined in o is different from 'olm.synthetic-user', the -// defaultAuthMapper will be used -func SyntheticUserRestConfigMapper(defaultAuthMapper func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error)) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - return func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - cExt, err := validate(o, c) - if err != nil { - return nil, err - } - if cExt.Spec.ServiceAccount.Name != syntheticServiceAccountName { - return defaultAuthMapper(ctx, cExt, c) - } - cc := rest.CopyConfig(c) - cc.Wrap(func(rt http.RoundTripper) http.RoundTripper { - return transport.NewImpersonatingRoundTripper(authentication.SyntheticImpersonationConfig(*cExt), rt) - }) - return cc, nil - } -} - -// ServiceAccountRestConfigMapper returns an AuthConfigMapper scoped to the service account defined in o, which is expected to -// be a ClusterExtension -func ServiceAccountRestConfigMapper(tokenGetter *authentication.TokenGetter) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - return func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - cExt, err := validate(o, c) - if err != nil { - return nil, err - } - saConfig := rest.AnonymousClientConfig(c) - saConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper { - return &authentication.TokenInjectingRoundTripper{ - Tripper: rt, - TokenGetter: tokenGetter, - Key: types.NamespacedName{ - Name: cExt.Spec.ServiceAccount.Name, - Namespace: cExt.Spec.Namespace, - }, - } - }) - return saConfig, nil - } -} - -func validate(o client.Object, c *rest.Config) (*ocv1.ClusterExtension, error) { - if c == nil { - return nil, fmt.Errorf("rest config is nil") - } - if o == nil { - return nil, fmt.Errorf("object is nil") - } - cExt, ok := o.(*ocv1.ClusterExtension) - if !ok { - return nil, fmt.Errorf("object is not a ClusterExtension") - } - return cExt, nil -} diff --git a/internal/operator-controller/action/restconfig_test.go b/internal/operator-controller/action/restconfig_test.go deleted file mode 100644 index 4c9f786719..0000000000 --- a/internal/operator-controller/action/restconfig_test.go +++ /dev/null @@ -1,177 +0,0 @@ -package action_test - -import ( - "context" - "errors" - "net/http" - "testing" - - "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/rest" - "sigs.k8s.io/controller-runtime/pkg/client" - - ocv1 "github.com/operator-framework/operator-controller/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/action" - "github.com/operator-framework/operator-controller/internal/operator-controller/authentication" -) - -func Test_ServiceAccountRestConfigMapper(t *testing.T) { - for _, tc := range []struct { - description string - obj client.Object - cfg *rest.Config - expectedError error - }{ - { - description: "return error if object is nil", - cfg: &rest.Config{}, - expectedError: errors.New("object is nil"), - }, { - description: "return error if cfg is nil", - obj: &ocv1.ClusterExtension{}, - expectedError: errors.New("rest config is nil"), - }, { - description: "return error if object is not a ClusterExtension", - obj: &corev1.Secret{}, - cfg: &rest.Config{}, - expectedError: errors.New("object is not a ClusterExtension"), - }, { - description: "succeeds if object is not a ClusterExtension", - obj: &ocv1.ClusterExtension{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-clusterextension", - }, - Spec: ocv1.ClusterExtensionSpec{ - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "my-service-account", - }, - Namespace: "my-namespace", - }, - }, - cfg: &rest.Config{}, - }, - } { - t.Run(tc.description, func(t *testing.T) { - tokenGetter := &authentication.TokenGetter{} - saMapper := action.ServiceAccountRestConfigMapper(tokenGetter) - actualCfg, err := saMapper(context.Background(), tc.obj, tc.cfg) - if tc.expectedError != nil { - require.Nil(t, actualCfg) - require.EqualError(t, err, tc.expectedError.Error()) - } else { - require.NoError(t, err) - transport, err := rest.TransportFor(actualCfg) - require.NoError(t, err) - require.NotNil(t, transport) - tokenInjectionRoundTripper, ok := transport.(*authentication.TokenInjectingRoundTripper) - require.True(t, ok) - require.Equal(t, tokenGetter, tokenInjectionRoundTripper.TokenGetter) - require.Equal(t, types.NamespacedName{Name: "my-service-account", Namespace: "my-namespace"}, tokenInjectionRoundTripper.Key) - } - }) - } -} - -func Test_SyntheticUserRestConfigMapper_Fails(t *testing.T) { - for _, tc := range []struct { - description string - obj client.Object - cfg *rest.Config - expectedError error - }{ - { - description: "return error if object is nil", - cfg: &rest.Config{}, - expectedError: errors.New("object is nil"), - }, { - description: "return error if cfg is nil", - obj: &ocv1.ClusterExtension{}, - expectedError: errors.New("rest config is nil"), - }, { - description: "return error if object is not a ClusterExtension", - obj: &corev1.Secret{}, - cfg: &rest.Config{}, - expectedError: errors.New("object is not a ClusterExtension"), - }, - } { - t.Run(tc.description, func(t *testing.T) { - tokenGetter := &authentication.TokenGetter{} - saMapper := action.ServiceAccountRestConfigMapper(tokenGetter) - actualCfg, err := saMapper(context.Background(), tc.obj, tc.cfg) - if tc.expectedError != nil { - require.Nil(t, actualCfg) - require.EqualError(t, err, tc.expectedError.Error()) - } else { - require.NoError(t, err) - transport, err := rest.TransportFor(actualCfg) - require.NoError(t, err) - require.NotNil(t, transport) - tokenInjectionRoundTripper, ok := transport.(*authentication.TokenInjectingRoundTripper) - require.True(t, ok) - require.Equal(t, tokenGetter, tokenInjectionRoundTripper.TokenGetter) - require.Equal(t, types.NamespacedName{Name: "my-service-account", Namespace: "my-namespace"}, tokenInjectionRoundTripper.Key) - } - }) - } -} -func Test_SyntheticUserRestConfigMapper_UsesDefaultConfigMapper(t *testing.T) { - isDefaultRequestMapperUsed := false - defaultServiceMapper := func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - isDefaultRequestMapperUsed = true - return c, nil - } - syntheticAuthServiceMapper := action.SyntheticUserRestConfigMapper(defaultServiceMapper) - obj := &ocv1.ClusterExtension{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-clusterextension", - }, - Spec: ocv1.ClusterExtensionSpec{ - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "my-service-account", - }, - Namespace: "my-namespace", - }, - } - actualCfg, err := syntheticAuthServiceMapper(context.Background(), obj, &rest.Config{}) - require.NoError(t, err) - require.NotNil(t, actualCfg) - require.True(t, isDefaultRequestMapperUsed) -} - -func Test_SyntheticUserRestConfigMapper_UsesSyntheticAuthMapper(t *testing.T) { - syntheticAuthServiceMapper := action.SyntheticUserRestConfigMapper(func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) { - return c, nil - }) - obj := &ocv1.ClusterExtension{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-clusterextension", - }, - Spec: ocv1.ClusterExtensionSpec{ - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "olm.synthetic-user", - }, - Namespace: "my-namespace", - }, - } - actualCfg, err := syntheticAuthServiceMapper(context.Background(), obj, &rest.Config{}) - require.NoError(t, err) - require.NotNil(t, actualCfg) - - // test that the impersonation headers are appropriately injected into the request - // by wrapping a fake round tripper around the returned configurations transport - // nolint:bodyclose - _, _ = actualCfg.WrapTransport(fakeRoundTripper(func(req *http.Request) (*http.Response, error) { - require.Equal(t, "olm:clusterextension:my-clusterextension", req.Header.Get("Impersonate-User")) - require.Equal(t, "olm:clusterextensions", req.Header.Get("Impersonate-Group")) - return &http.Response{}, nil - })).RoundTrip(&http.Request{}) -} - -type fakeRoundTripper func(req *http.Request) (*http.Response, error) - -func (f fakeRoundTripper) RoundTrip(request *http.Request) (*http.Response, error) { - return f(request) -} diff --git a/internal/operator-controller/applier/boxcutter.go b/internal/operator-controller/applier/boxcutter.go index cb4da7e534..0c07b0175c 100644 --- a/internal/operator-controller/applier/boxcutter.go +++ b/internal/operator-controller/applier/boxcutter.go @@ -1,12 +1,10 @@ package applier import ( - "bytes" "cmp" "context" "errors" "fmt" - "io" "io/fs" "maps" "slices" @@ -19,9 +17,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/cli-runtime/pkg/printers" metav1ac "k8s.io/client-go/applyconfigurations/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" @@ -32,7 +27,6 @@ import ( ocv1 "github.com/operator-framework/operator-controller/api/v1" ocv1ac "github.com/operator-framework/operator-controller/applyconfigurations/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/authorization" "github.com/operator-framework/operator-controller/internal/operator-controller/labels" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source" "github.com/operator-framework/operator-controller/internal/shared/util/cache" @@ -204,9 +198,6 @@ func (r *SimpleRevisionGenerator) buildClusterExtensionRevision( if annotations == nil { annotations = make(map[string]string) } - annotations[labels.ServiceAccountNameKey] = ext.Spec.ServiceAccount.Name - annotations[labels.ServiceAccountNamespaceKey] = ext.Spec.Namespace - phases := PhaseSort(objects) spec := ocv1ac.ClusterExtensionRevisionSpec(). @@ -422,18 +413,11 @@ type Boxcutter struct { Scheme *runtime.Scheme RevisionGenerator ClusterExtensionRevisionGenerator Preflights []Preflight - PreAuthorizer authorization.PreAuthorizer FieldOwner string } -// apply applies the revision object using server-side apply. PreAuthorization checks are performed -// to ensure the user has sufficient permissions to manage the revision and its resources. -func (bc *Boxcutter) apply(ctx context.Context, user user.Info, rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) error { - // Run auth preflight checks - if err := bc.runPreAuthorizationChecks(ctx, user, rev); err != nil { - return err - } - +// apply applies the revision object using server-side apply. +func (bc *Boxcutter) apply(ctx context.Context, rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) error { return bc.Client.Apply(ctx, rev, client.FieldOwner(bc.FieldOwner), client.ForceOwnership) } @@ -488,7 +472,7 @@ func (bc *Boxcutter) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust desiredRevision.Spec.WithRevision(currentRevision.Spec.Revision) desiredRevision.WithName(currentRevision.Name) - err := bc.apply(ctx, getUserInfo(ext), desiredRevision) + err := bc.apply(ctx, desiredRevision) switch { case apierrors.IsInvalid(err): // We could not update the current revision due to trying to update an immutable field. @@ -538,7 +522,7 @@ func (bc *Boxcutter) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust return false, "", fmt.Errorf("garbage collecting old revisions: %w", err) } - if err := bc.apply(ctx, getUserInfo(ext), desiredRevision); err != nil { + if err := bc.apply(ctx, desiredRevision); err != nil { return false, "", fmt.Errorf("creating new Revision: %w", err) } } @@ -546,23 +530,6 @@ func (bc *Boxcutter) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust return true, "", nil } -// runPreAuthorizationChecks runs PreAuthorization checks if the PreAuthorizer is set. An error will be returned if -// the ClusterExtension service account does not have the necessary permissions to manage the revision's resources -func (bc *Boxcutter) runPreAuthorizationChecks(ctx context.Context, user user.Info, rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) error { - if bc.PreAuthorizer == nil { - return nil - } - - // collect the revision manifests - manifestReader, err := revisionManifestReader(rev) - if err != nil { - return err - } - - // run preauthorization check - return formatPreAuthorizerOutput(bc.PreAuthorizer.PreAuthorize(ctx, user, manifestReader, revisionManagementPerms(rev))) -} - // garbageCollectOldRevisions deletes archived revisions beyond ClusterExtensionRevisionRetentionLimit. // Active revisions are never deleted. revisionList must be sorted oldest to newest. func (bc *Boxcutter) garbageCollectOldRevisions(ctx context.Context, revisionList []ocv1.ClusterExtensionRevision) error { @@ -642,35 +609,6 @@ func getObjects(rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) []client return objs } -// revisionManifestReader returns an io.Reader containing all manifests in the revision -func revisionManifestReader(rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) (io.Reader, error) { - printer := printers.YAMLPrinter{} - buf := new(bytes.Buffer) - for _, obj := range getObjects(rev) { - buf.WriteString("---\n") - if err := printer.PrintObj(obj, buf); err != nil { - return nil, err - } - } - return buf, nil -} - -func revisionManagementPerms(rev *ocv1ac.ClusterExtensionRevisionApplyConfiguration) func(user.Info) []authorizer.AttributesRecord { - return func(user user.Info) []authorizer.AttributesRecord { - return []authorizer.AttributesRecord{ - { - User: user, - Name: *rev.GetName(), - APIGroup: ocv1.GroupVersion.Group, - APIVersion: ocv1.GroupVersion.Version, - Resource: "clusterextensionrevisions/finalizers", - ResourceRequest: true, - Verb: "update", - }, - } - } -} - func mergeLabelMaps(m1, m2 map[string]string) map[string]string { mergedLabels := make(map[string]string, len(m1)+len(m2)) maps.Copy(mergedLabels, m1) diff --git a/internal/operator-controller/applier/boxcutter_test.go b/internal/operator-controller/applier/boxcutter_test.go index 4f84612509..7b73da3107 100644 --- a/internal/operator-controller/applier/boxcutter_test.go +++ b/internal/operator-controller/applier/boxcutter_test.go @@ -4,7 +4,6 @@ import ( "context" "errors" "fmt" - "io" "io/fs" "strings" "testing" @@ -17,15 +16,12 @@ import ( "helm.sh/helm/v3/pkg/storage/driver" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" apimeta "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" k8scheme "k8s.io/client-go/kubernetes/scheme" "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" @@ -35,7 +31,6 @@ import ( ocv1 "github.com/operator-framework/operator-controller/api/v1" ocv1ac "github.com/operator-framework/operator-controller/applyconfigurations/api/v1" "github.com/operator-framework/operator-controller/internal/operator-controller/applier" - "github.com/operator-framework/operator-controller/internal/operator-controller/authorization" "github.com/operator-framework/operator-controller/internal/operator-controller/labels" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util/testing/bundlefs" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util/testing/clusterserviceversion" @@ -85,9 +80,6 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T) }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, }, } @@ -100,12 +92,10 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T) expected := ocv1ac.ClusterExtensionRevision("test-123-1"). WithAnnotations(map[string]string{ - "olm.operatorframework.io/bundle-name": "my-bundle", - "olm.operatorframework.io/bundle-reference": "bundle-ref", - "olm.operatorframework.io/bundle-version": "1.2.0", - "olm.operatorframework.io/package-name": "my-package", - "olm.operatorframework.io/service-account-name": "test-sa", - "olm.operatorframework.io/service-account-namespace": "test-namespace", + "olm.operatorframework.io/bundle-name": "my-bundle", + "olm.operatorframework.io/bundle-reference": "bundle-ref", + "olm.operatorframework.io/bundle-version": "1.2.0", + "olm.operatorframework.io/package-name": "my-package", }). WithLabels(map[string]string{ labels.OwnerKindKey: ocv1.ClusterExtensionKind, @@ -193,9 +183,6 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) { }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, }, } @@ -280,9 +267,6 @@ func Test_SimpleRevisionGenerator_GenerateRevision_BundleAnnotations(t *testing. }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, }, } @@ -402,8 +386,7 @@ func Test_SimpleRevisionGenerator_AppliesObjectLabelsAndRevisionAnnotations(t *t rev, err := b.GenerateRevision(t.Context(), dummyBundle, &ocv1.ClusterExtension{ Spec: ocv1.ClusterExtensionSpec{ - Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"}, + Namespace: "test-namespace", }, }, map[string]string{ "some": "value", @@ -464,8 +447,7 @@ func Test_SimpleRevisionGenerator_PropagatesProgressDeadlineMinutes(t *testing.T Name: "test-extension", }, Spec: ocv1.ClusterExtensionSpec{ - Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"}, + Namespace: "test-namespace", }, } empty := map[string]string{} @@ -494,8 +476,7 @@ func Test_SimpleRevisionGenerator_Failure(t *testing.T) { rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{ Spec: ocv1.ClusterExtensionSpec{ - Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"}, + Namespace: "test-namespace", }, }, map[string]string{}, map[string]string{}) require.Nil(t, rev) @@ -1083,190 +1064,6 @@ func TestBoxcutter_Apply(t *testing.T) { } } -func Test_PreAuthorizer_Integration(t *testing.T) { - testScheme := runtime.NewScheme() - require.NoError(t, ocv1.AddToScheme(testScheme)) - - // This is the revision that the mock builder will produce by default. - // We calculate its hash to use in the tests. - ext := &ocv1.ClusterExtension{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-ext", - UID: "test-uid", - }, - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, - }, - } - fakeClient := fake.NewClientBuilder().WithScheme(testScheme).Build() - dummyGenerator := &mockBundleRevisionBuilder{ - makeRevisionFunc: func(ctx context.Context, bundleFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotation map[string]string) (*ocv1ac.ClusterExtensionRevisionApplyConfiguration, error) { - return ocv1ac.ClusterExtensionRevision(""). - WithSpec(ocv1ac.ClusterExtensionRevisionSpec(). - WithPhases( - ocv1ac.ClusterExtensionRevisionPhase(). - WithName("some-phase"). - WithObjects( - ocv1ac.ClusterExtensionRevisionObject(). - WithObject(unstructured.Unstructured{ - Object: map[string]interface{}{ - "apiVersion": "v1", - "kind": "ConfigMap", - "data": map[string]string{ - "test-data": "test-data", - }, - }, - }), - ), - ), - ), nil - }, - } - dummyBundleFs := fstest.MapFS{} - revisionAnnotations := map[string]string{} - - for _, tc := range []struct { - name string - preAuthorizer func(t *testing.T) authorization.PreAuthorizer - validate func(t *testing.T, err error) - }{ - { - name: "preauthorizer called with correct parameters", - preAuthorizer: func(t *testing.T) authorization.PreAuthorizer { - return &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - require.Equal(t, "system:serviceaccount:test-namespace:test-sa", user.GetName()) - require.Empty(t, user.GetUID()) - require.Nil(t, user.GetExtra()) - require.Empty(t, user.GetGroups()) - - t.Log("has correct additional permissions") - require.Len(t, additionalRequiredPerms, 1) - perms := additionalRequiredPerms[0](user) - - require.Len(t, perms, 1) - require.Equal(t, authorizer.AttributesRecord{ - User: user, - Name: "test-ext-1", - APIGroup: "olm.operatorframework.io", - APIVersion: "v1", - Resource: "clusterextensionrevisions/finalizers", - ResourceRequest: true, - Verb: "update", - }, perms[0]) - - t.Log("has correct manifest reader") - manifests, err := io.ReadAll(reader) - require.NoError(t, err) - require.Equal(t, "---\napiVersion: v1\ndata:\n test-data: test-data\nkind: ConfigMap\n", string(manifests)) - return nil, nil - }, - } - }, - }, { - name: "preauthorizer errors are returned", - preAuthorizer: func(t *testing.T) authorization.PreAuthorizer { - return &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return nil, errors.New("test error") - }, - } - }, - validate: func(t *testing.T, err error) { - require.Error(t, err) - require.Contains(t, err.Error(), "pre-authorization failed") - require.Contains(t, err.Error(), "authorization evaluation error: test error") - }, - }, { - name: "preauthorizer missing permissions are returned as an error", - preAuthorizer: func(t *testing.T) authorization.PreAuthorizer { - return &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return []authorization.ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"pods"}, - Verbs: []string{"get", "list", "watch"}, - }, - }, - }, - }, nil - }, - } - }, - validate: func(t *testing.T, err error) { - require.Error(t, err) - require.Contains(t, err.Error(), "pre-authorization failed") - require.Contains(t, err.Error(), "service account requires the following permissions") - require.Contains(t, err.Error(), "Resources:[pods]") - require.Contains(t, err.Error(), "Verbs:[get,list,watch]") - }, - }, { - name: "preauthorizer missing permissions and errors are combined and returned as an error", - preAuthorizer: func(t *testing.T) authorization.PreAuthorizer { - return &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return []authorization.ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"pods"}, - Verbs: []string{"get", "list", "watch"}, - }, - }, - }, - }, errors.New("test error") - }, - } - }, - validate: func(t *testing.T, err error) { - require.Error(t, err) - require.Contains(t, err.Error(), "pre-authorization failed") - require.Contains(t, err.Error(), "service account requires the following permissions") - require.Contains(t, err.Error(), "Resources:[pods]") - require.Contains(t, err.Error(), "Verbs:[get,list,watch]") - require.Contains(t, err.Error(), "authorization evaluation error: test error") - }, - }, { - name: "successful call to preauthorizer does not block applier", - preAuthorizer: func(t *testing.T) authorization.PreAuthorizer { - return &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return nil, nil - }, - } - }, - validate: func(t *testing.T, err error) { - require.NoError(t, err) - }, - }, - } { - t.Run(tc.name, func(t *testing.T) { - boxcutter := &applier.Boxcutter{ - Client: fakeClient, - Scheme: testScheme, - FieldOwner: "test-owner", - RevisionGenerator: dummyGenerator, - PreAuthorizer: tc.preAuthorizer(t), - } - completed, status, err := boxcutter.Apply(t.Context(), dummyBundleFs, ext, nil, revisionAnnotations) - if tc.validate != nil { - tc.validate(t, err) - } - _ = completed - _ = status - }) - } -} - func TestBoxcutterStorageMigrator(t *testing.T) { t.Run("creates revision", func(t *testing.T) { testScheme := runtime.NewScheme() diff --git a/internal/operator-controller/applier/helm.go b/internal/operator-controller/applier/helm.go index ab6e58a363..777c5b3aa4 100644 --- a/internal/operator-controller/applier/helm.go +++ b/internal/operator-controller/applier/helm.go @@ -7,7 +7,6 @@ import ( "fmt" "io" "io/fs" - "slices" "strings" "helm.sh/helm/v3/pkg/action" @@ -16,20 +15,16 @@ import ( "helm.sh/helm/v3/pkg/postrender" "helm.sh/helm/v3/pkg/release" "helm.sh/helm/v3/pkg/storage/driver" - rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" apimachyaml "k8s.io/apimachinery/pkg/util/yaml" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client" ocv1 "github.com/operator-framework/operator-controller/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/authorization" "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager" - "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager/cache" + cmcache "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager/cache" "github.com/operator-framework/operator-controller/internal/operator-controller/features" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util" imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image" @@ -62,25 +57,11 @@ func (h HelmReleaseToObjectsConverter) GetObjectsFromRelease(rel *release.Releas type Helm struct { ActionClientGetter helmclient.ActionClientGetter Preflights []Preflight - PreAuthorizer authorization.PreAuthorizer HelmChartProvider HelmChartProvider HelmReleaseToObjectsConverter HelmReleaseToObjectsConverterInterface Manager contentmanager.Manager - Watcher cache.Watcher -} - -// runPreAuthorizationChecks performs pre-authorization checks for a Helm release -// it renders a client-only release, checks permissions using the PreAuthorizer -// and returns an error if authorization fails or required permissions are missing -func (h *Helm) runPreAuthorizationChecks(ctx context.Context, ext *ocv1.ClusterExtension, chart *chart.Chart, values chartutil.Values, post postrender.PostRenderer) error { - tmplRel, err := h.renderClientOnlyRelease(ctx, ext, chart, values, post) - if err != nil { - return fmt.Errorf("error rendering content for pre-authorization checks: %w", err) - } - - manifestManager := getUserInfo(ext) - return formatPreAuthorizerOutput(h.PreAuthorizer.PreAuthorize(ctx, manifestManager, strings.NewReader(tmplRel.Manifest), extManagementPerms(ext))) + Watcher cmcache.Watcher } func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels map[string]string, storageLabels map[string]string) (bool, string, error) { @@ -104,14 +85,6 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte labels: objectLabels, } - if h.PreAuthorizer != nil { - err := h.runPreAuthorizationChecks(ctx, ext, chrt, values, post) - if err != nil { - // Return the pre-authorization error directly - return false, "", err - } - } - ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext) if err != nil { return false, "", err @@ -176,12 +149,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte return true, "", err } klog.FromContext(ctx).Info("watching managed objects") - cache, err := h.Manager.Get(ctx, ext) - if err != nil { - return true, "", err - } - - if err := cache.Watch(ctx, h.Watcher, relObjects...); err != nil { + if err := h.Manager.Watch(ctx, ext.Name, h.Watcher, relObjects...); err != nil { return true, "", err } @@ -226,17 +194,11 @@ func (h *Helm) reconcileExistingRelease(ctx context.Context, ac helmclient.Actio logger.Error(fmt.Errorf("manager is nil"), "Manager not initialized, cannot set up drift detection watches (resources are applied but drift detection disabled)") return true, "", nil } - cache, err := h.Manager.Get(ctx, ext) - if err != nil { - logger.Error(err, "failed to get managed content cache, cannot set up drift detection watches (resources are applied but drift detection disabled)") - return true, "", nil - } - if h.Watcher == nil { logger.Error(fmt.Errorf("watcher is nil"), "Watcher not initialized, cannot set up drift detection watches (resources are applied but drift detection disabled)") return true, "", nil } - if err := cache.Watch(ctx, h.Watcher, relObjects...); err != nil { + if err := h.Manager.Watch(ctx, ext.Name, h.Watcher, relObjects...); err != nil { logger.Error(err, "failed to set up drift detection watches (resources are applied but drift detection disabled)") return true, "", nil } @@ -261,34 +223,6 @@ func (h *Helm) buildHelmChart(bundleFS fs.FS, ext *ocv1.ClusterExtension) (*char return h.HelmChartProvider.Get(bundleFS, ext) } -func (h *Helm) renderClientOnlyRelease(ctx context.Context, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, error) { - // We need to get a separate action client because our work below - // permanently modifies the underlying action.Configuration for ClientOnly mode. - ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext) - if err != nil { - return nil, err - } - - isUpgrade := false - currentRelease, err := ac.Get(ext.GetName()) - if err != nil && !errors.Is(err, driver.ErrReleaseNotFound) { - return nil, err - } - if currentRelease != nil { - isUpgrade = true - } - - return ac.Install(ext.GetName(), ext.Spec.Namespace, chrt, values, func(i *action.Install) error { - i.DryRun = true - i.ReleaseName = ext.GetName() - i.Replace = true - i.ClientOnly = true - i.IncludeCRDs = true - i.IsUpgrade = isUpgrade - return nil - }, helmclient.AppendInstallPostRenderer(post)) -} - func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, *release.Release, string, error) { currentRelease, err := cl.Get(ext.GetName()) if errors.Is(err, driver.ErrReleaseNotFound) { @@ -353,74 +287,3 @@ func (p *postrenderer) Run(renderedManifests *bytes.Buffer) (*bytes.Buffer, erro } return &buf, nil } - -func ruleDescription(ns string, rule rbacv1.PolicyRule) string { - var sb strings.Builder - sb.WriteString(fmt.Sprintf("Namespace:%q", ns)) - - if len(rule.APIGroups) > 0 { - sb.WriteString(fmt.Sprintf(" APIGroups:[%s]", strings.Join(slices.Sorted(slices.Values(rule.APIGroups)), ","))) - } - if len(rule.Resources) > 0 { - sb.WriteString(fmt.Sprintf(" Resources:[%s]", strings.Join(slices.Sorted(slices.Values(rule.Resources)), ","))) - } - if len(rule.ResourceNames) > 0 { - sb.WriteString(fmt.Sprintf(" ResourceNames:[%s]", strings.Join(slices.Sorted(slices.Values(rule.ResourceNames)), ","))) - } - if len(rule.Verbs) > 0 { - sb.WriteString(fmt.Sprintf(" Verbs:[%s]", strings.Join(slices.Sorted(slices.Values(rule.Verbs)), ","))) - } - if len(rule.NonResourceURLs) > 0 { - sb.WriteString(fmt.Sprintf(" NonResourceURLs:[%s]", strings.Join(slices.Sorted(slices.Values(rule.NonResourceURLs)), ","))) - } - return sb.String() -} - -// formatPreAuthorizerOutput formats the output of PreAuthorizer.PreAuthorize calls into a consistent and deterministic error. -// If the call returns no missing rules, and no error, nil is returned. -func formatPreAuthorizerOutput(missingRules []authorization.ScopedPolicyRules, authErr error) error { - var preAuthErrors []error - if len(missingRules) > 0 { - totalMissingRules := 0 - for _, policyRules := range missingRules { - totalMissingRules += len(policyRules.MissingRules) - } - missingRuleDescriptions := make([]string, 0, totalMissingRules) - for _, policyRules := range missingRules { - for _, rule := range policyRules.MissingRules { - missingRuleDescriptions = append(missingRuleDescriptions, ruleDescription(policyRules.Namespace, rule)) - } - } - slices.Sort(missingRuleDescriptions) - // This phrase is explicitly checked by external testing - preAuthErrors = append(preAuthErrors, fmt.Errorf("service account requires the following permissions to manage cluster extension:\n %s", strings.Join(missingRuleDescriptions, "\n "))) - } - if authErr != nil { - preAuthErrors = append(preAuthErrors, fmt.Errorf("authorization evaluation error: %w", authErr)) - } - if len(preAuthErrors) > 0 { - // This phrase is explicitly checked by external testing - return fmt.Errorf("pre-authorization failed: %v", errors.Join(preAuthErrors...)) - } - return nil -} - -func getUserInfo(ext *ocv1.ClusterExtension) user.Info { - return &user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)} -} - -func extManagementPerms(ext *ocv1.ClusterExtension) func(user.Info) []authorizer.AttributesRecord { - return func(user user.Info) []authorizer.AttributesRecord { - return []authorizer.AttributesRecord{ - { - User: user, - Name: ext.Name, - APIGroup: ocv1.GroupVersion.Group, - APIVersion: ocv1.GroupVersion.Version, - Resource: "clusterextensions/finalizers", - ResourceRequest: true, - Verb: "update", - }, - } - } -} diff --git a/internal/operator-controller/applier/helm_test.go b/internal/operator-controller/applier/helm_test.go index 25fad4d66b..f74fd371ce 100644 --- a/internal/operator-controller/applier/helm_test.go +++ b/internal/operator-controller/applier/helm_test.go @@ -3,7 +3,6 @@ package applier_test import ( "context" "errors" - "io" "io/fs" "os" "testing" @@ -14,17 +13,13 @@ import ( "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/release" "helm.sh/helm/v3/pkg/storage/driver" - rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" "sigs.k8s.io/controller-runtime/pkg/client" helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client" ocv1 "github.com/operator-framework/operator-controller/api/v1" "github.com/operator-framework/operator-controller/internal/operator-controller/applier" - "github.com/operator-framework/operator-controller/internal/operator-controller/authorization" "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager" cmcache "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager/cache" ) @@ -32,39 +27,17 @@ import ( var _ contentmanager.Manager = (*mockManagedContentCacheManager)(nil) type mockManagedContentCacheManager struct { - err error - cache cmcache.Cache -} - -func (m *mockManagedContentCacheManager) Get(_ context.Context, _ *ocv1.ClusterExtension) (cmcache.Cache, error) { - if m.err != nil { - return nil, m.err - } - return m.cache, nil + err error } -func (m *mockManagedContentCacheManager) Delete(_ *ocv1.ClusterExtension) error { +func (m *mockManagedContentCacheManager) Watch(_ context.Context, _ string, _ cmcache.Watcher, _ ...client.Object) error { return m.err } -type mockManagedContentCache struct { - err error -} +func (m *mockManagedContentCacheManager) Delete(_ context.Context, _ string) {} -var _ cmcache.Cache = (*mockManagedContentCache)(nil) - -func (m *mockManagedContentCache) Close() error { - if m.err != nil { - return m.err - } - return nil -} - -func (m *mockManagedContentCache) Watch(_ context.Context, _ cmcache.Watcher, _ ...client.Object) error { - if m.err != nil { - return m.err - } - return nil +func (m *mockManagedContentCacheManager) Close() error { + return m.err } type mockPreflight struct { @@ -72,14 +45,6 @@ type mockPreflight struct { upgradeErr error } -type mockPreAuthorizer struct { - fn func(context.Context, user.Info, io.Reader, ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) -} - -func (p *mockPreAuthorizer) PreAuthorize(ctx context.Context, manifestManager user.Info, manifestReader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return p.fn(ctx, manifestManager, manifestReader, additionalRequiredPerms...) -} - func (mp *mockPreflight) Install(context.Context, []client.Object) error { return mp.installErr } @@ -199,40 +164,10 @@ spec: }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "test-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, }, } testObjectLabels = map[string]string{"object": "label"} testStorageLabels = map[string]string{"storage": "label"} - errPreAuth = errors.New("problem running preauthorization") - missingRBAC = []authorization.ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil)}, - }, - }, - { - Namespace: "test-namespace", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{"*"}, - Resources: []string{"certificates"}}, - }, - }, - } - - errMissingRBAC = `pre-authorization failed: service account requires the following permissions to manage cluster extension: - Namespace:"" APIGroups:[] Resources:[services] Verbs:[list,watch] - Namespace:"test-namespace" APIGroups:[*] Resources:[certificates] Verbs:[create]` ) func TestApply_Base(t *testing.T) { @@ -342,9 +277,7 @@ func TestApply_Installation(t *testing.T) { ActionClientGetter: mockAcg, HelmChartProvider: DummyHelmChartProvider, HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - Manager: &mockManagedContentCacheManager{ - cache: &mockManagedContentCache{}, - }, + Manager: &mockManagedContentCacheManager{}, } installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) @@ -354,204 +287,6 @@ func TestApply_Installation(t *testing.T) { }) } -func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) { - t.Run("preauthorizer called with correct parameters", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - installErr: errors.New("failed installing chart"), - desiredRel: &release.Release{ - Info: &release.Info{Status: release.StatusDeployed}, - Manifest: validManifest, - }, - } - mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")} - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - Preflights: []applier.Preflight{mockPf}, - PreAuthorizer: &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - t.Log("has correct user") - require.Equal(t, "system:serviceaccount:test-namespace:test-sa", user.GetName()) - require.Empty(t, user.GetUID()) - require.Nil(t, user.GetExtra()) - require.Empty(t, user.GetGroups()) - - t.Log("has correct additional permissions") - require.Len(t, additionalRequiredPerms, 1) - perms := additionalRequiredPerms[0](user) - - require.Len(t, perms, 1) - require.Equal(t, authorizer.AttributesRecord{ - User: user, - Name: "test-ext", - APIGroup: "olm.operatorframework.io", - APIVersion: "v1", - Resource: "clusterextensions/finalizers", - ResourceRequest: true, - Verb: "update", - }, perms[0]) - return nil, nil - }, - }, - HelmChartProvider: DummyHelmChartProvider, - HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - } - - _, _, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) - require.Error(t, err) - }) - - t.Run("fails during dry-run installation", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - dryRunInstallErr: errors.New("failed attempting to dry-run install chart"), - } - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - HelmChartProvider: DummyHelmChartProvider, - } - - installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) - require.Error(t, err) - require.ErrorContains(t, err, "attempting to dry-run install chart") - require.False(t, installSucceeded) - require.Empty(t, installStatus) - }) - - t.Run("fails during pre-flight installation", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - installErr: errors.New("failed installing chart"), - desiredRel: &release.Release{ - Info: &release.Info{Status: release.StatusDeployed}, - Manifest: validManifest, - }, - } - mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")} - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - Preflights: []applier.Preflight{mockPf}, - PreAuthorizer: &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return nil, nil - }, - }, - HelmChartProvider: DummyHelmChartProvider, - HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - } - - installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) - require.Error(t, err) - require.ErrorContains(t, err, "install pre-flight check") - require.False(t, installSucceeded) - require.Empty(t, installStatus) - }) - - t.Run("fails during installation because of pre-authorization failure", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - desiredRel: &release.Release{ - Info: &release.Info{Status: release.StatusDeployed}, - Manifest: validManifest, - }, - } - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - PreAuthorizer: &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return nil, errPreAuth - }, - }, - HelmChartProvider: DummyHelmChartProvider, - } - // Use a ClusterExtension with valid Spec fields. - validCE := &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, - }, - } - installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, validCE, testObjectLabels, testStorageLabels) - require.Error(t, err) - require.ErrorContains(t, err, "problem running preauthorization") - require.False(t, installSucceeded) - require.Empty(t, installStatus) - }) - - t.Run("fails during installation due to missing RBAC rules", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - desiredRel: &release.Release{ - Info: &release.Info{Status: release.StatusDeployed}, - Manifest: validManifest, - }, - } - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - PreAuthorizer: &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return missingRBAC, nil - }, - }, - HelmChartProvider: DummyHelmChartProvider, - } - // Use a ClusterExtension with valid Spec fields. - validCE := &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, - }, - } - installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, validCE, testObjectLabels, testStorageLabels) - require.Error(t, err) - require.ErrorContains(t, err, errMissingRBAC) - require.False(t, installSucceeded) - require.Empty(t, installStatus) - }) - - t.Run("successful installation", func(t *testing.T) { - mockAcg := &mockActionGetter{ - getClientErr: driver.ErrReleaseNotFound, - desiredRel: &release.Release{ - Info: &release.Info{Status: release.StatusDeployed}, - Manifest: validManifest, - }, - } - helmApplier := applier.Helm{ - ActionClientGetter: mockAcg, - PreAuthorizer: &mockPreAuthorizer{ - fn: func(ctx context.Context, user user.Info, reader io.Reader, additionalRequiredPerms ...authorization.UserAuthorizerAttributesFactory) ([]authorization.ScopedPolicyRules, error) { - return nil, nil - }, - }, - HelmChartProvider: DummyHelmChartProvider, - HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - Manager: &mockManagedContentCacheManager{ - cache: &mockManagedContentCache{}, - }, - } - - // Use a ClusterExtension with valid Spec fields. - validCE := &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, - }, - } - - installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, validCE, testObjectLabels, testStorageLabels) - require.NoError(t, err) - require.Empty(t, installStatus) - require.True(t, installSucceeded) - }) -} - func TestApply_Upgrade(t *testing.T) { testCurrentRelease := &release.Release{ Info: &release.Info{Status: release.StatusDeployed}, @@ -656,9 +391,7 @@ func TestApply_Upgrade(t *testing.T) { ActionClientGetter: mockAcg, HelmChartProvider: DummyHelmChartProvider, HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - Manager: &mockManagedContentCacheManager{ - cache: &mockManagedContentCache{}, - }, + Manager: &mockManagedContentCacheManager{}, } installSucceeded, installStatus, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) @@ -685,9 +418,7 @@ func TestApply_RegistryV1ToChartConverterIntegration(t *testing.T) { }, }, HelmReleaseToObjectsConverter: mockHelmReleaseToObjectsConverter{}, - Manager: &mockManagedContentCacheManager{ - cache: &mockManagedContentCache{}, - }, + Manager: &mockManagedContentCacheManager{}, } _, _, _ = helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) @@ -707,9 +438,7 @@ func TestApply_RegistryV1ToChartConverterIntegration(t *testing.T) { return nil, errors.New("some error") }, }, - Manager: &mockManagedContentCacheManager{ - cache: &mockManagedContentCache{}, - }, + Manager: &mockManagedContentCacheManager{}, } _, _, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels) diff --git a/internal/operator-controller/applier/provider.go b/internal/operator-controller/applier/provider.go index 49e5a8df05..64563ebd8f 100644 --- a/internal/operator-controller/applier/provider.go +++ b/internal/operator-controller/applier/provider.go @@ -7,11 +7,9 @@ import ( "io/fs" "helm.sh/helm/v3/pkg/chart" - "k8s.io/apimachinery/pkg/util/sets" + corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - ocv1 "github.com/operator-framework/operator-controller/api/v1" "github.com/operator-framework/operator-controller/internal/operator-controller/config" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle" @@ -29,11 +27,10 @@ type ManifestProvider interface { // RegistryV1ManifestProvider generates the manifests that should be installed for a registry+v1 bundle // given the user specified configuration given by the ClusterExtension API surface type RegistryV1ManifestProvider struct { - BundleRenderer render.BundleRenderer - CertificateProvider render.CertificateProvider - IsWebhookSupportEnabled bool - IsSingleOwnNamespaceEnabled bool - IsDeploymentConfigEnabled bool + BundleRenderer render.BundleRenderer + CertificateProvider render.CertificateProvider + IsWebhookSupportEnabled bool + IsDeploymentConfigEnabled bool } func (r *RegistryV1ManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) { @@ -54,39 +51,24 @@ func (r *RegistryV1ManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtens } } - installModes := sets.New(rv1.CSV.Spec.InstallModes...) - if !r.IsSingleOwnNamespaceEnabled && !installModes.Has(v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeAllNamespaces, Supported: true}) { - return nil, fmt.Errorf("unsupported bundle: bundle does not support AllNamespaces install mode") - } - - if !installModes.HasAny( - v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeAllNamespaces, Supported: true}, - v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeSingleNamespace, Supported: true}, - v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeOwnNamespace, Supported: true}, - ) { - return nil, fmt.Errorf("unsupported bundle: bundle must support at least one of [AllNamespaces SingleNamespace OwnNamespace] install modes") + configOpts, err := r.extractBundleConfigOptions(&rv1, ext) + if err != nil { + return nil, err } - opts := []render.Option{ + // All registry+v1 bundles are rendered to watch all namespaces regardless of their + // stated supported install modes in order to align with OLMv1's single-tenant + // cluster-scoped philosophy. + opts := append([]render.Option{ + render.WithTargetNamespaces(corev1.NamespaceAll), + render.WithSkipInstallModeValidation(), render.WithCertificateProvider(r.CertificateProvider), - } - - // Always validate inline config when present so that disabled features produce - // a clear error rather than being silently ignored. When IsSingleOwnNamespaceEnabled - // is true we also call this with no config to validate required fields (e.g. - // watchNamespace for OwnNamespace-only bundles). - if r.IsSingleOwnNamespaceEnabled || ext.Spec.Config != nil { - configOpts, err := r.extractBundleConfigOptions(&rv1, ext) - if err != nil { - return nil, err - } - opts = append(opts, configOpts...) - } + }, configOpts...) return r.BundleRenderer.Render(rv1, ext.Spec.Namespace, opts...) } // extractBundleConfigOptions extracts and validates configuration options from a ClusterExtension. -// Returns render options for watchNamespace and deploymentConfig if present in the extension's configuration. +// Returns render options for deploymentConfig if present in the extension's configuration. func (r *RegistryV1ManifestProvider) extractBundleConfigOptions(rv1 *bundle.RegistryV1, ext *ocv1.ClusterExtension) ([]render.Option, error) { schema, err := rv1.GetConfigSchema() if err != nil { @@ -102,16 +84,12 @@ func (r *RegistryV1ManifestProvider) extractBundleConfigOptions(rv1 *bundle.Regi } bundleConfigBytes := extensionConfigBytes(ext) - bundleConfig, err := config.UnmarshalConfig(bundleConfigBytes, schema, ext.Spec.Namespace) + bundleConfig, err := config.UnmarshalConfig(bundleConfigBytes, schema) if err != nil { return nil, errorutil.NewTerminalError(ocv1.ReasonInvalidConfiguration, fmt.Errorf("invalid ClusterExtension configuration: %w", err)) } var opts []render.Option - if watchNS := bundleConfig.GetWatchNamespace(); watchNS != nil { - opts = append(opts, render.WithTargetNamespaces(*watchNS)) - } - // Extract and convert deploymentConfig if present and the feature gate is enabled. if r.IsDeploymentConfigEnabled { if deploymentConfigMap := bundleConfig.GetDeploymentConfig(); deploymentConfigMap != nil { diff --git a/internal/operator-controller/applier/provider_test.go b/internal/operator-controller/applier/provider_test.go index 71b1ab3bd3..63cb366754 100644 --- a/internal/operator-controller/applier/provider_test.go +++ b/internal/operator-controller/applier/provider_test.go @@ -7,6 +7,7 @@ import ( "testing/fstest" "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -49,7 +50,7 @@ func Test_RegistryV1ManifestProvider_Integration(t *testing.T) { }, } - // The contents of the bundle are not important for this tesy, only that it be a valid bundle + // The contents of the bundle are not important for this test, only that it be a valid bundle // to avoid errors in the deserialization process bundleFS := bundlefs.Builder().WithPackageName("test"). WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces).Build()).Build() @@ -65,40 +66,52 @@ func Test_RegistryV1ManifestProvider_Integration(t *testing.T) { require.Contains(t, err.Error(), "some error") }) - t.Run("surfaces bundle config unmarshall errors", func(t *testing.T) { + t.Run("renders bundle with only SingleNamespace install mode in AllNamespaces mode", func(t *testing.T) { provider := applier.RegistryV1ManifestProvider{ - BundleRenderer: render.BundleRenderer{ - ResourceGenerators: []render.ResourceGenerator{ - func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) { - return nil, nil - }, - }, + BundleRenderer: registryv1.Renderer, + } + + // Bundle only declares SingleNamespace support - no AllNamespaces + bundleFS := bundlefs.Builder().WithPackageName("test"). + WithCSV(clusterserviceversion.Builder(). + WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace). + WithStrategyDeploymentSpecs(v1alpha1.StrategyDeploymentSpec{ + Name: "test-operator", + }).Build()).Build() + + ext := &ocv1.ClusterExtension{ + Spec: ocv1.ClusterExtensionSpec{ + Namespace: "install-namespace", }, - // must be true for now as we only unmarshal configuration when this feature is on - // once we go GA and remove IsSingleOwnNamespaceEnabled it's ok to just delete this - IsSingleOwnNamespaceEnabled: true, } - // The contents of the bundle are not important for this tesy, only that it be a valid bundle - // to avoid errors in the deserialization process + objs, err := provider.Get(bundleFS, ext) + require.NoError(t, err, "bundles without AllNamespaces support should still render successfully") + requireTargetNamespacesAnnotation(t, objs, corev1.NamespaceAll) + }) + + t.Run("renders bundle with only OwnNamespace install mode in AllNamespaces mode", func(t *testing.T) { + provider := applier.RegistryV1ManifestProvider{ + BundleRenderer: registryv1.Renderer, + } + + // Bundle only declares OwnNamespace support - no AllNamespaces bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() + WithCSV(clusterserviceversion.Builder(). + WithInstallModeSupportFor(v1alpha1.InstallModeTypeOwnNamespace). + WithStrategyDeploymentSpecs(v1alpha1.StrategyDeploymentSpec{ + Name: "test-operator", + }).Build()).Build() ext := &ocv1.ClusterExtension{ Spec: ocv1.ClusterExtensionSpec{ Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"watchNamespace": "install-namespace"}`), - }, - }, }, } - _, err := provider.Get(bundleFS, ext) - require.Error(t, err) - require.Contains(t, err.Error(), "invalid ClusterExtension configuration") + objs, err := provider.Get(bundleFS, ext) + require.NoError(t, err, "bundles without AllNamespaces support should still render successfully") + requireTargetNamespacesAnnotation(t, objs, corev1.NamespaceAll) }) t.Run("returns terminal error for invalid config", func(t *testing.T) { @@ -110,18 +123,21 @@ func Test_RegistryV1ManifestProvider_Integration(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, } - // Bundle with SingleNamespace install mode requiring watchNamespace config bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() + WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces).Build()).Build() - // ClusterExtension without required config + // ClusterExtension with invalid config - unknown field ext := &ocv1.ClusterExtension{ Spec: ocv1.ClusterExtensionSpec{ Namespace: "install-namespace", - // No config provided - should fail validation + Config: &ocv1.ClusterExtensionConfig{ + ConfigType: ocv1.ClusterExtensionConfigTypeInline, + Inline: &apiextensionsv1.JSON{ + Raw: []byte(`{"unknownField": "value"}`), + }, + }, }, } @@ -256,194 +272,6 @@ func Test_RegistryV1ManifestProvider_WebhookSupport(t *testing.T) { }) } -func Test_RegistryV1ManifestProvider_SingleOwnNamespaceSupport(t *testing.T) { - t.Run("rejects bundles without AllNamespaces install mode when Single/OwnNamespace install mode support is disabled", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: false, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - }, - }) - require.Equal(t, "unsupported bundle: bundle does not support AllNamespaces install mode", err.Error()) - }) - - t.Run("rejects bundles without AllNamespaces install mode and with SingleNamespace support when Single/OwnNamespace install mode support is enabled", func(t *testing.T) { - expectedWatchNamespace := "some-namespace" - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: false, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"watchNamespace": "` + expectedWatchNamespace + `"}`), - }, - }, - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), "unsupported bundle") - }) - - t.Run("rejects bundles without AllNamespaces install mode and with OwnNamespace support when Single/OwnNamespace install mode support is disabled", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: false, - } - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeOwnNamespace).Build()).Build() - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), "unsupported bundle") - }) - - t.Run("accepts bundles with install modes {SingleNamespace} when the appropriate configuration is given", func(t *testing.T) { - expectedWatchNamespace := "some-namespace" - provider := applier.RegistryV1ManifestProvider{ - BundleRenderer: render.BundleRenderer{ - ResourceGenerators: []render.ResourceGenerator{ - func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) { - t.Log("ensure watch namespace is appropriately configured") - require.Equal(t, []string{expectedWatchNamespace}, opts.TargetNamespaces) - return nil, nil - }, - }, - }, - IsSingleOwnNamespaceEnabled: true, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"watchNamespace": "` + expectedWatchNamespace + `"}`), - }, - }, - }, - }) - require.NoError(t, err) - }) - - t.Run("rejects bundles with {SingleNamespace} install modes when no configuration is given", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: true, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), `required field "watchNamespace" is missing`) - }) - - t.Run("accepts bundles with {OwnNamespace} install modes when the appropriate configuration is given", func(t *testing.T) { - installNamespace := "some-namespace" - provider := applier.RegistryV1ManifestProvider{ - BundleRenderer: render.BundleRenderer{ - ResourceGenerators: []render.ResourceGenerator{ - func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) { - t.Log("ensure watch namespace is appropriately configured") - require.Equal(t, []string{installNamespace}, opts.TargetNamespaces) - return nil, nil - }, - }, - }, - IsSingleOwnNamespaceEnabled: true, - } - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeOwnNamespace).Build()).Build() - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: installNamespace, - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"watchNamespace": "` + installNamespace + `"}`), - }, - }, - }, - }) - require.NoError(t, err) - }) - - t.Run("rejects bundles with {OwnNamespace} install modes when no configuration is given", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: true, - } - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeOwnNamespace).Build()).Build() - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), `required field "watchNamespace" is missing`) - }) - - t.Run("rejects bundles with {OwnNamespace} install modes when watchNamespace is not install namespace", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: true, - } - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeOwnNamespace).Build()).Build() - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"watchNamespace": "not-install-namespace"}`), - }, - }, - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), "invalid ClusterExtension configuration:") - require.Contains(t, err.Error(), "must be") - require.Contains(t, err.Error(), "install-namespace") - }) - - t.Run("rejects bundles without AllNamespaces, SingleNamespace, or OwnNamespace install mode support when Single/OwnNamespace install mode support is enabled", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - IsSingleOwnNamespaceEnabled: true, - } - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeMultiNamespace).Build()).Build() - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - }, - }) - require.Equal(t, "unsupported bundle: bundle must support at least one of [AllNamespaces SingleNamespace OwnNamespace] install modes", err.Error()) - }) -} - func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { t.Run("passes deploymentConfig to renderer when provided in configuration", func(t *testing.T) { expectedEnvVars := []corev1.EnvVar{ @@ -460,8 +288,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, + IsDeploymentConfigEnabled: true, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -492,8 +319,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, + IsDeploymentConfigEnabled: true, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -525,8 +351,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, + IsDeploymentConfigEnabled: true, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -551,49 +376,6 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { require.NoError(t, err) }) - t.Run("passes both watchNamespace and deploymentConfig when both provided", func(t *testing.T) { - expectedWatchNamespace := "some-namespace" - expectedEnvVars := []corev1.EnvVar{ - {Name: "TEST_ENV", Value: "test-value"}, - } - provider := applier.RegistryV1ManifestProvider{ - BundleRenderer: render.BundleRenderer{ - ResourceGenerators: []render.ResourceGenerator{ - func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) { - t.Log("ensure both watchNamespace and deploymentConfig are passed to renderer") - require.Equal(t, []string{expectedWatchNamespace}, opts.TargetNamespaces) - require.NotNil(t, opts.DeploymentConfig) - require.Equal(t, expectedEnvVars, opts.DeploymentConfig.Env) - return nil, nil - }, - }, - }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{ - "watchNamespace": "some-namespace", - "deploymentConfig": { - "env": [{"name": "TEST_ENV", "value": "test-value"}] - } - }`), - }, - }, - }, - }) - require.NoError(t, err) - }) - t.Run("handles empty deploymentConfig gracefully", func(t *testing.T) { provider := applier.RegistryV1ManifestProvider{ BundleRenderer: render.BundleRenderer{ @@ -605,8 +387,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, + IsDeploymentConfigEnabled: true, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -635,8 +416,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: true, + IsDeploymentConfigEnabled: true, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -670,8 +450,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { }, }, }, - IsSingleOwnNamespaceEnabled: true, - IsDeploymentConfigEnabled: false, + IsDeploymentConfigEnabled: false, } bundleFS := bundlefs.Builder().WithPackageName("test"). @@ -692,38 +471,6 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) { require.Contains(t, err.Error(), "unknown field \"deploymentConfig\"") require.ErrorIs(t, err, reconcile.TerminalError(nil), "feature gate disabled error should be terminal") }) - - t.Run("returns terminal error when deploymentConfig is used with SingleOwnNamespace disabled and DeploymentConfig gate disabled", func(t *testing.T) { - provider := applier.RegistryV1ManifestProvider{ - BundleRenderer: render.BundleRenderer{ - ResourceGenerators: []render.ResourceGenerator{ - func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) { - return nil, nil - }, - }, - }, - IsSingleOwnNamespaceEnabled: false, - IsDeploymentConfigEnabled: false, - } - - bundleFS := bundlefs.Builder().WithPackageName("test"). - WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces).Build()).Build() - - _, err := provider.Get(bundleFS, &ocv1.ClusterExtension{ - Spec: ocv1.ClusterExtensionSpec{ - Namespace: "install-namespace", - Config: &ocv1.ClusterExtensionConfig{ - ConfigType: ocv1.ClusterExtensionConfigTypeInline, - Inline: &apiextensionsv1.JSON{ - Raw: []byte(`{"deploymentConfig": {"env": [{"name": "TEST_ENV", "value": "test-value"}]}}`), - }, - }, - }, - }) - require.Error(t, err) - require.Contains(t, err.Error(), "unknown field \"deploymentConfig\"") - require.ErrorIs(t, err, reconcile.TerminalError(nil), "config should not be silently ignored when both feature gates are disabled") - }) } func Test_RegistryV1HelmChartProvider_Integration(t *testing.T) { @@ -815,3 +562,20 @@ type FakeManifestProvider struct { func (f *FakeManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) { return f.GetFn(bundleFS, ext) } + +func requireTargetNamespacesAnnotation(t *testing.T, objs []client.Object, expected string) { + t.Helper() + var found int + for _, obj := range objs { + dep, ok := obj.(*appsv1.Deployment) + if !ok { + continue + } + found++ + annotations := dep.Spec.Template.Annotations + v, exists := annotations["olm.targetNamespaces"] + require.True(t, exists, "deployment %q missing olm.targetNamespaces annotation on pod template", dep.Name) + require.Equal(t, expected, v, "olm.targetNamespaces annotation on deployment %q", dep.Name) + } + require.Positive(t, found, "expected at least one Deployment in rendered objects") +} diff --git a/internal/operator-controller/authentication/synthetic.go b/internal/operator-controller/authentication/synthetic.go deleted file mode 100644 index 710f2885e8..0000000000 --- a/internal/operator-controller/authentication/synthetic.go +++ /dev/null @@ -1,26 +0,0 @@ -package authentication - -import ( - "fmt" - - "k8s.io/client-go/transport" - - ocv1 "github.com/operator-framework/operator-controller/api/v1" -) - -func syntheticUserName(ext ocv1.ClusterExtension) string { - return fmt.Sprintf("olm:clusterextension:%s", ext.Name) -} - -func syntheticGroups(_ ocv1.ClusterExtension) []string { - return []string{ - "olm:clusterextensions", - } -} - -func SyntheticImpersonationConfig(ext ocv1.ClusterExtension) transport.ImpersonationConfig { - return transport.ImpersonationConfig{ - UserName: syntheticUserName(ext), - Groups: syntheticGroups(ext), - } -} diff --git a/internal/operator-controller/authentication/synthetic_test.go b/internal/operator-controller/authentication/synthetic_test.go deleted file mode 100644 index 2e3f17a07b..0000000000 --- a/internal/operator-controller/authentication/synthetic_test.go +++ /dev/null @@ -1,25 +0,0 @@ -package authentication_test - -import ( - "testing" - - "github.com/stretchr/testify/require" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - ocv1 "github.com/operator-framework/operator-controller/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/authentication" -) - -func TestSyntheticImpersonationConfig(t *testing.T) { - config := authentication.SyntheticImpersonationConfig(ocv1.ClusterExtension{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-ext", - }, - }) - require.Equal(t, "olm:clusterextension:my-ext", config.UserName) - require.Equal(t, []string{ - "olm:clusterextensions", - }, config.Groups) - require.Empty(t, config.UID) - require.Empty(t, config.Extra) -} diff --git a/internal/operator-controller/authentication/tokengetter.go b/internal/operator-controller/authentication/tokengetter.go deleted file mode 100644 index 7870dc8e83..0000000000 --- a/internal/operator-controller/authentication/tokengetter.go +++ /dev/null @@ -1,128 +0,0 @@ -package authentication - -import ( - "context" - "fmt" - "sync" - "time" - - authenticationv1 "k8s.io/api/authentication/v1" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - corev1 "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/utils/ptr" -) - -type TokenGetter struct { - client corev1.ServiceAccountsGetter - expirationDuration time.Duration - tokens map[types.NamespacedName]*authenticationv1.TokenRequestStatus - mu sync.RWMutex -} - -type ServiceAccountNotFoundError struct { - ServiceAccountName string - ServiceAccountNamespace string - Err error -} - -func (e *ServiceAccountNotFoundError) Unwrap() error { - return e.Err -} - -// Error implements the error interface for ServiceAccountNotFoundError. -func (e *ServiceAccountNotFoundError) Error() string { - return fmt.Sprintf("service account \"%s\" not found in namespace \"%s\": unable to authenticate with the Kubernetes cluster.", e.ServiceAccountName, e.ServiceAccountNamespace) -} - -type TokenGetterOption func(*TokenGetter) - -const ( - rotationThresholdFraction = 0.1 - DefaultExpirationDuration = 5 * time.Minute -) - -// Returns a token getter that can fetch tokens given a service account. -// The token getter also caches tokens which helps reduce the number of requests to the API Server. -// In case a cached token is expiring a fresh token is created. -func NewTokenGetter(client corev1.ServiceAccountsGetter, options ...TokenGetterOption) *TokenGetter { - tokenGetter := &TokenGetter{ - client: client, - expirationDuration: DefaultExpirationDuration, - tokens: map[types.NamespacedName]*authenticationv1.TokenRequestStatus{}, - } - - for _, opt := range options { - opt(tokenGetter) - } - - return tokenGetter -} - -func WithExpirationDuration(expirationDuration time.Duration) TokenGetterOption { - return func(tg *TokenGetter) { - tg.expirationDuration = expirationDuration - } -} - -// Get returns a token from the cache if available and not expiring, otherwise creates a new token -func (t *TokenGetter) Get(ctx context.Context, key types.NamespacedName) (string, error) { - t.mu.RLock() - token, ok := t.tokens[key] - t.mu.RUnlock() - - expireTime := time.Time{} - if ok { - expireTime = token.ExpirationTimestamp.Time - } - - // Create a new token if the cached token expires within rotationThresholdFraction of expirationDuration from now - rotationThresholdAfterNow := metav1.Now().Add(time.Duration(float64(t.expirationDuration) * (rotationThresholdFraction))) - if expireTime.Before(rotationThresholdAfterNow) { - var err error - token, err = t.getToken(ctx, key) - if err != nil { - return "", err - } - t.mu.Lock() - t.tokens[key] = token - t.mu.Unlock() - } - - // Delete tokens that have expired - t.reapExpiredTokens() - - return token.Token, nil -} - -func (t *TokenGetter) getToken(ctx context.Context, key types.NamespacedName) (*authenticationv1.TokenRequestStatus, error) { - req, err := t.client.ServiceAccounts(key.Namespace).CreateToken(ctx, - key.Name, - &authenticationv1.TokenRequest{ - Spec: authenticationv1.TokenRequestSpec{ExpirationSeconds: ptr.To(int64(t.expirationDuration / time.Second))}, - }, metav1.CreateOptions{}) - if err != nil { - if errors.IsNotFound(err) { - return nil, &ServiceAccountNotFoundError{ServiceAccountName: key.Name, ServiceAccountNamespace: key.Namespace} - } - return nil, err - } - return &req.Status, nil -} - -func (t *TokenGetter) reapExpiredTokens() { - t.mu.Lock() - defer t.mu.Unlock() - for key, token := range t.tokens { - if metav1.Now().Sub(token.ExpirationTimestamp.Time) > 0 { - delete(t.tokens, key) - } - } -} - -func (t *TokenGetter) Delete(key types.NamespacedName) { - t.mu.Lock() - defer t.mu.Unlock() - delete(t.tokens, key) -} diff --git a/internal/operator-controller/authentication/tokengetter_test.go b/internal/operator-controller/authentication/tokengetter_test.go deleted file mode 100644 index 6aebfcc636..0000000000 --- a/internal/operator-controller/authentication/tokengetter_test.go +++ /dev/null @@ -1,89 +0,0 @@ -package authentication - -import ( - "context" - "fmt" - "testing" - "time" - - "github.com/stretchr/testify/assert" - authenticationv1 "k8s.io/api/authentication/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/kubernetes/fake" - ctest "k8s.io/client-go/testing" -) - -func TestTokenGetterGet(t *testing.T) { - fakeClient := fake.NewClientset() - fakeClient.PrependReactor("create", "serviceaccounts/token", - func(action ctest.Action) (bool, runtime.Object, error) { - act, ok := action.(ctest.CreateActionImpl) - if !ok { - return false, nil, nil - } - tokenRequest := act.GetObject().(*authenticationv1.TokenRequest) - var err error - if act.Name == "test-service-account-1" { - tokenRequest.Status = authenticationv1.TokenRequestStatus{ - Token: "test-token-1", - ExpirationTimestamp: metav1.NewTime(metav1.Now().Add(DefaultExpirationDuration)), - } - } - if act.Name == "test-service-account-2" { - tokenRequest.Status = authenticationv1.TokenRequestStatus{ - Token: "test-token-2", - ExpirationTimestamp: metav1.NewTime(metav1.Now().Add(1 * time.Second)), - } - } - if act.Name == "test-service-account-3" { - tokenRequest.Status = authenticationv1.TokenRequestStatus{ - Token: "test-token-3", - ExpirationTimestamp: metav1.NewTime(metav1.Now().Add(-10 * time.Second)), - } - } - if act.Name == "test-service-account-4" { - tokenRequest = nil - err = fmt.Errorf("error when fetching token") - } - return true, tokenRequest, err - }) - - tg := NewTokenGetter(fakeClient.CoreV1(), - WithExpirationDuration(DefaultExpirationDuration)) - - tests := []struct { - testName string - serviceAccountName string - namespace string - want string - errorMsg string - }{ - {"Testing getting token with fake client", "test-service-account-1", - "test-namespace-1", "test-token-1", "failed to get token"}, - {"Testing getting token from cache", "test-service-account-1", - "test-namespace-1", "test-token-1", "failed to get token"}, - {"Testing getting short lived token from fake client", "test-service-account-2", - "test-namespace-2", "test-token-2", "failed to get token"}, - {"Testing getting nearly expired token from cache", "test-service-account-2", - "test-namespace-2", "test-token-2", "failed to refresh token"}, - {"Testing token that expired 10 seconds ago", "test-service-account-3", - "test-namespace-3", "test-token-3", "failed to get token"}, - {"Testing error when getting token from fake client", "test-service-account-4", - "test-namespace-4", "error when fetching token", "error when fetching token"}, - {"Testing service account not found", "missing-sa", - "test-namespace-5", "", "service account \"missing-sa\" not found in namespace \"test-namespace-5\": unable to authenticate with the Kubernetes cluster."}, - } - - for _, tc := range tests { - got, err := tg.Get(context.Background(), types.NamespacedName{Namespace: tc.namespace, Name: tc.serviceAccountName}) - if err != nil { - t.Logf("%s: expected: %v, got: %v", tc.testName, tc.want, err) - assert.EqualError(t, err, tc.errorMsg, "Error message should match expected output") - } else { - t.Logf("%s: expected: %v, got: %v", tc.testName, tc.want, got) - assert.Equal(t, tc.want, got, tc.errorMsg) - } - } -} diff --git a/internal/operator-controller/authentication/tripper.go b/internal/operator-controller/authentication/tripper.go deleted file mode 100644 index 77bc1175c0..0000000000 --- a/internal/operator-controller/authentication/tripper.go +++ /dev/null @@ -1,38 +0,0 @@ -package authentication - -import ( - "fmt" - "net/http" - - "k8s.io/apimachinery/pkg/types" - utilnet "k8s.io/apimachinery/pkg/util/net" -) - -var _ http.RoundTripper = (*TokenInjectingRoundTripper)(nil) - -type TokenInjectingRoundTripper struct { - Tripper http.RoundTripper - TokenGetter *TokenGetter - Key types.NamespacedName -} - -func (tt *TokenInjectingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { - resp, err := tt.do(req) - if resp != nil && resp.StatusCode == http.StatusUnauthorized { - tt.TokenGetter.Delete(tt.Key) - resp, err = tt.do(req) - } - return resp, err -} - -func (tt *TokenInjectingRoundTripper) do(req *http.Request) (*http.Response, error) { - reqClone := utilnet.CloneRequest(req) - token, err := tt.TokenGetter.Get(reqClone.Context(), tt.Key) - if err != nil { - return nil, err - } - - // Always set the Authorization header to our retrieved token - reqClone.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) - return tt.Tripper.RoundTrip(reqClone) -} diff --git a/internal/operator-controller/authorization/rbac.go b/internal/operator-controller/authorization/rbac.go deleted file mode 100644 index d85e532f8b..0000000000 --- a/internal/operator-controller/authorization/rbac.go +++ /dev/null @@ -1,677 +0,0 @@ -package authorization - -import ( - "context" - "errors" - "fmt" - "io" - "maps" - "regexp" - "slices" - "sort" - "strings" - - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/api/meta" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/sets" - apimachyaml "k8s.io/apimachinery/pkg/util/yaml" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/apiserver/pkg/endpoints/request" - rbacinternal "k8s.io/kubernetes/pkg/apis/rbac" - rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" - rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" - "k8s.io/kubernetes/pkg/registry/rbac/validation" - rbac "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// UserAuthorizerAttributesFactory is a function that produces a slice of AttributesRecord for user -type UserAuthorizerAttributesFactory func(user user.Info) []authorizer.AttributesRecord - -type PreAuthorizer interface { - // PreAuthorize validates whether the user satisfies the necessary permissions - // as defined by the RBAC policy. It examines the user’s roles, resource identifiers, and - // the intended action to determine if the operation is allowed. Optional additional required permissions are also evaluated - // against user. - // - // Return Value: - // - nil: indicates that the authorization check passed and the operation is permitted. - // - non-nil error: indicates that an error occurred during the permission evaluation process - // (for example, a failure decoding the manifest or other internal issues). If the evaluation - // completes successfully but identifies missing rules, then a nil error is returned along with - // the list (or slice) of missing rules. Note that in some cases the error may encapsulate multiple - // evaluation failures - PreAuthorize(ctx context.Context, user user.Info, manifestReader io.Reader, additionalRequiredPerms ...UserAuthorizerAttributesFactory) ([]ScopedPolicyRules, error) -} - -type ScopedPolicyRules struct { - Namespace string - MissingRules []rbacv1.PolicyRule -} - -var objectVerbs = []string{"get", "patch", "update", "delete"} - -// Here we are splitting collection verbs based on required scope -// NB: this split is tightly coupled to the requirements of the contentmanager, specifically -// its need for cluster-scoped list/watch permissions. -// TODO: We are accepting this coupling for now, but plan to decouple -// TODO: link for above https://github.com/operator-framework/operator-controller/issues/1911 -var namespacedCollectionVerbs = []string{"create"} -var clusterCollectionVerbs = []string{"list", "watch"} - -type rbacPreAuthorizer struct { - authorizer authorizer.Authorizer - ruleResolver validation.AuthorizationRuleResolver - restMapper meta.RESTMapper -} - -func NewRBACPreAuthorizer(cl client.Client) PreAuthorizer { - return &rbacPreAuthorizer{ - authorizer: newRBACAuthorizer(cl), - ruleResolver: newRBACRulesResolver(cl), - restMapper: cl.RESTMapper(), - } -} - -func (a *rbacPreAuthorizer) PreAuthorize(ctx context.Context, user user.Info, manifestReader io.Reader, additionalRequiredPerms ...UserAuthorizerAttributesFactory) ([]ScopedPolicyRules, error) { - dm, err := a.decodeManifest(manifestReader) - if err != nil { - return nil, err - } - - // derive manifest related attributes records - attributesRecords := dm.asAuthorizationAttributesRecordsForUser(user) - - // append additional required perms - for _, fn := range additionalRequiredPerms { - attributesRecords = append(attributesRecords, fn(user)...) - } - - var preAuthEvaluationErrors []error - missingRules, err := a.authorizeAttributesRecords(ctx, attributesRecords) - if err != nil { - preAuthEvaluationErrors = append(preAuthEvaluationErrors, err) - } - - ec := a.escalationCheckerFor(dm) - - var parseErrors []error - for _, obj := range dm.rbacObjects() { - if err := ec.checkEscalation(ctx, user, obj); err != nil { - result, err := parseEscalationErrorForMissingRules(err) - missingRules[obj.GetNamespace()] = append(missingRules[obj.GetNamespace()], result.MissingRules...) - preAuthEvaluationErrors = append(preAuthEvaluationErrors, result.ResolutionErrors) - parseErrors = append(parseErrors, err) - } - } - allMissingPolicyRules := make([]ScopedPolicyRules, 0, len(missingRules)) - - for ns, nsMissingRules := range missingRules { - // NOTE: Although CompactRules is defined to return an error, its current implementation - // never produces a non-nil error. This is because all operations within the function are - // designed to succeed under current conditions. In the future, if more complex rule validations - // are introduced, this behavior may change and proper error handling will be required. - if compactMissingRules, err := validation.CompactRules(nsMissingRules); err == nil { - missingRules[ns] = compactMissingRules - } - - missingRulesWithDeduplicatedVerbs := make([]rbacv1.PolicyRule, 0, len(missingRules[ns])) - for _, rule := range missingRules[ns] { - verbSet := sets.New[string](rule.Verbs...) - if verbSet.Has("*") { - rule.Verbs = []string{"*"} - } else { - rule.Verbs = sets.List(verbSet) - } - missingRulesWithDeduplicatedVerbs = append(missingRulesWithDeduplicatedVerbs, rule) - } - - sortableRules := rbacv1helpers.SortableRuleSlice(missingRulesWithDeduplicatedVerbs) - - sort.Sort(sortableRules) - allMissingPolicyRules = append(allMissingPolicyRules, ScopedPolicyRules{Namespace: ns, MissingRules: sortableRules}) - } - - // sort allMissingPolicyRules alphabetically by namespace - slices.SortFunc(allMissingPolicyRules, func(a, b ScopedPolicyRules) int { - return strings.Compare(a.Namespace, b.Namespace) - }) - - var errs []error - if parseErr := errors.Join(parseErrors...); parseErr != nil { - errs = append(errs, fmt.Errorf("failed to parse escalation check error strings: %v", parseErr)) - } - if preAuthEvaluationErrors := errors.Join(preAuthEvaluationErrors...); preAuthEvaluationErrors != nil { - errs = append(errs, fmt.Errorf("failed to resolve or evaluate permissions: %v", preAuthEvaluationErrors)) - } - if len(errs) > 0 { - return allMissingPolicyRules, fmt.Errorf("missing rules may be incomplete: %w", errors.Join(errs...)) - } - return allMissingPolicyRules, nil -} - -func (a *rbacPreAuthorizer) escalationCheckerFor(dm *decodedManifest) escalationChecker { - ec := escalationChecker{ - authorizer: a.authorizer, - ruleResolver: a.ruleResolver, - extraClusterRoles: dm.clusterRoles, - extraRoles: dm.roles, - } - return ec -} - -func (a *rbacPreAuthorizer) decodeManifest(manifestReader io.Reader) (*decodedManifest, error) { - dm := &decodedManifest{ - gvrs: map[schema.GroupVersionResource][]types.NamespacedName{}, - clusterRoles: map[client.ObjectKey]rbacv1.ClusterRole{}, - roles: map[client.ObjectKey]rbacv1.Role{}, - clusterRoleBindings: map[client.ObjectKey]rbacv1.ClusterRoleBinding{}, - roleBindings: map[client.ObjectKey]rbacv1.RoleBinding{}, - } - var ( - i int - errs []error - decoder = apimachyaml.NewYAMLOrJSONDecoder(manifestReader, 1024) - ) - for { - var uObj unstructured.Unstructured - err := decoder.Decode(&uObj) - if errors.Is(err, io.EOF) { - break - } - if err != nil { - errs = append(errs, fmt.Errorf("could not decode object %d in manifest: %w", i, err)) - continue - } - gvk := uObj.GroupVersionKind() - restMapping, err := a.restMapper.RESTMapping(gvk.GroupKind(), gvk.Version) - if err != nil { - var objName string - if name := uObj.GetName(); name != "" { - objName = fmt.Sprintf(" (name: %s)", name) - } - - errs = append( - errs, - fmt.Errorf("could not get REST mapping for object %d in manifest with GVK %s%s: %w", i, gvk, objName, err), - ) - continue - } - - gvr := restMapping.Resource - dm.gvrs[gvr] = append(dm.gvrs[gvr], client.ObjectKeyFromObject(&uObj)) - - switch restMapping.Resource.GroupResource() { - case schema.GroupResource{Group: rbacv1.GroupName, Resource: "clusterroles"}: - obj := &rbacv1.ClusterRole{} - if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil { - errs = append(errs, fmt.Errorf("could not decode object %d in manifest as ClusterRole: %w", i, err)) - continue - } - dm.clusterRoles[client.ObjectKeyFromObject(obj)] = *obj - case schema.GroupResource{Group: rbacv1.GroupName, Resource: "clusterrolebindings"}: - obj := &rbacv1.ClusterRoleBinding{} - if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil { - errs = append(errs, fmt.Errorf("could not decode object %d in manifest as ClusterRoleBinding: %w", i, err)) - continue - } - dm.clusterRoleBindings[client.ObjectKeyFromObject(obj)] = *obj - case schema.GroupResource{Group: rbacv1.GroupName, Resource: "roles"}: - obj := &rbacv1.Role{} - if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil { - errs = append(errs, fmt.Errorf("could not decode object %d in manifest as Role: %w", i, err)) - continue - } - dm.roles[client.ObjectKeyFromObject(obj)] = *obj - case schema.GroupResource{Group: rbacv1.GroupName, Resource: "rolebindings"}: - obj := &rbacv1.RoleBinding{} - if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil { - errs = append(errs, fmt.Errorf("could not decode object %d in manifest as RoleBinding: %w", i, err)) - continue - } - dm.roleBindings[client.ObjectKeyFromObject(obj)] = *obj - } - } - if len(errs) > 0 { - return nil, errors.Join(errs...) - } - return dm, nil -} - -func (a *rbacPreAuthorizer) authorizeAttributesRecords(ctx context.Context, attributesRecords []authorizer.AttributesRecord) (map[string][]rbacv1.PolicyRule, error) { - var ( - missingRules = map[string][]rbacv1.PolicyRule{} - errs []error - ) - for _, ar := range attributesRecords { - allow, err := a.attributesAllowed(ctx, ar) - if err != nil { - errs = append(errs, err) - continue - } - if !allow { - missingRules[ar.Namespace] = append(missingRules[ar.Namespace], policyRuleFromAttributesRecord(ar)) - } - } - return missingRules, errors.Join(errs...) -} - -func (a *rbacPreAuthorizer) attributesAllowed(ctx context.Context, attributesRecord authorizer.AttributesRecord) (bool, error) { - decision, reason, err := a.authorizer.Authorize(ctx, attributesRecord) - if err != nil { - if reason != "" { - return false, fmt.Errorf("%s: %w", reason, err) - } - return false, err - } - return decision == authorizer.DecisionAllow, nil -} - -func policyRuleFromAttributesRecord(attributesRecord authorizer.AttributesRecord) rbacv1.PolicyRule { - pr := rbacv1.PolicyRule{} - if attributesRecord.Verb != "" { - pr.Verbs = []string{attributesRecord.Verb} - } - if !attributesRecord.ResourceRequest { - pr.NonResourceURLs = []string{attributesRecord.Path} - return pr - } - - pr.APIGroups = []string{attributesRecord.APIGroup} - if attributesRecord.Name != "" { - pr.ResourceNames = []string{attributesRecord.Name} - } - - r := attributesRecord.Resource - if attributesRecord.Subresource != "" { - r += "/" + attributesRecord.Subresource - } - pr.Resources = []string{r} - - return pr -} - -type decodedManifest struct { - gvrs map[schema.GroupVersionResource][]types.NamespacedName - clusterRoles map[client.ObjectKey]rbacv1.ClusterRole - roles map[client.ObjectKey]rbacv1.Role - clusterRoleBindings map[client.ObjectKey]rbacv1.ClusterRoleBinding - roleBindings map[client.ObjectKey]rbacv1.RoleBinding -} - -func (dm *decodedManifest) rbacObjects() []client.Object { - objects := make([]client.Object, 0, len(dm.clusterRoles)+len(dm.roles)+len(dm.clusterRoleBindings)+len(dm.roleBindings)) - for obj := range maps.Values(dm.clusterRoles) { - objects = append(objects, &obj) - } - for obj := range maps.Values(dm.roles) { - objects = append(objects, &obj) - } - for obj := range maps.Values(dm.clusterRoleBindings) { - objects = append(objects, &obj) - } - for obj := range maps.Values(dm.roleBindings) { - objects = append(objects, &obj) - } - return objects -} - -func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManager user.Info) []authorizer.AttributesRecord { - // Calculate initial capacity as an upper-bound estimate: - // - For each key: len(objectVerbs) records (4) - // - For unique namespaces: len(namespacedCollectionVerbs) records (1 per unique namespace across all keys in a GVR) - // We use totalKeys as upper bound (worst case: each key in different namespace) - // - For each GVR: len(clusterCollectionVerbs) records (2) - totalKeys := 0 - for _, keys := range dm.gvrs { - totalKeys += len(keys) - } - estimatedCapacity := totalKeys*len(objectVerbs) + totalKeys*len(namespacedCollectionVerbs) + len(dm.gvrs)*len(clusterCollectionVerbs) - attributeRecords := make([]authorizer.AttributesRecord, 0, estimatedCapacity) - - for gvr, keys := range dm.gvrs { - namespaces := sets.New[string]() - for _, k := range keys { - namespaces.Insert(k.Namespace) - // generate records for object-specific verbs (get, update, patch, delete) in their respective namespaces - for _, v := range objectVerbs { - attributeRecords = append(attributeRecords, authorizer.AttributesRecord{ - User: manifestManager, - Namespace: k.Namespace, - Name: k.Name, - APIGroup: gvr.Group, - APIVersion: gvr.Version, - Resource: gvr.Resource, - ResourceRequest: true, - Verb: v, - }) - } - } - // generate records for namespaced collection verbs (create) for each relevant namespace - for _, ns := range sets.List(namespaces) { - for _, v := range namespacedCollectionVerbs { - attributeRecords = append(attributeRecords, authorizer.AttributesRecord{ - User: manifestManager, - Namespace: ns, - APIGroup: gvr.Group, - APIVersion: gvr.Version, - Resource: gvr.Resource, - ResourceRequest: true, - Verb: v, - }) - } - } - // generate records for cluster-scoped collection verbs (list, watch) required by contentmanager - for _, v := range clusterCollectionVerbs { - attributeRecords = append(attributeRecords, authorizer.AttributesRecord{ - User: manifestManager, - Namespace: corev1.NamespaceAll, // check cluster scope - APIGroup: gvr.Group, - APIVersion: gvr.Version, - Resource: gvr.Resource, - ResourceRequest: true, - Verb: v, - }) - } - } - return attributeRecords -} - -func newRBACAuthorizer(cl client.Client) authorizer.Authorizer { - rg := &rbacGetter{cl: cl} - return rbac.New(rg, rg, rg, rg) -} - -type rbacGetter struct { - cl client.Client -} - -func (r rbacGetter) ListClusterRoleBindings(ctx context.Context) ([]*rbacv1.ClusterRoleBinding, error) { - var clusterRoleBindingsList rbacv1.ClusterRoleBindingList - if err := r.cl.List(ctx, &clusterRoleBindingsList); err != nil { - return nil, err - } - return toPtrSlice(clusterRoleBindingsList.Items), nil -} - -func (r rbacGetter) GetClusterRole(ctx context.Context, name string) (*rbacv1.ClusterRole, error) { - var clusterRole rbacv1.ClusterRole - if err := r.cl.Get(ctx, client.ObjectKey{Name: name}, &clusterRole); err != nil { - return nil, err - } - return &clusterRole, nil -} - -func (r rbacGetter) ListRoleBindings(ctx context.Context, namespace string) ([]*rbacv1.RoleBinding, error) { - var roleBindingsList rbacv1.RoleBindingList - if err := r.cl.List(ctx, &roleBindingsList, client.InNamespace(namespace)); err != nil { - return nil, err - } - return toPtrSlice(roleBindingsList.Items), nil -} - -func (r rbacGetter) GetRole(ctx context.Context, namespace, name string) (*rbacv1.Role, error) { - var role rbacv1.Role - if err := r.cl.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, &role); err != nil { - return nil, err - } - return &role, nil -} - -func newRBACRulesResolver(cl client.Client) validation.AuthorizationRuleResolver { - rg := &rbacGetter{cl: cl} - return validation.NewDefaultRuleResolver(rg, rg, rg, rg) -} - -type escalationChecker struct { - authorizer authorizer.Authorizer - ruleResolver validation.AuthorizationRuleResolver - extraRoles map[types.NamespacedName]rbacv1.Role - extraClusterRoles map[types.NamespacedName]rbacv1.ClusterRole -} - -func (ec *escalationChecker) checkEscalation(ctx context.Context, manifestManager user.Info, obj client.Object) error { - ctx = request.WithUser(request.WithNamespace(ctx, obj.GetNamespace()), manifestManager) - switch v := obj.(type) { - case *rbacv1.Role: - ctx = request.WithRequestInfo(ctx, &request.RequestInfo{APIGroup: rbacv1.GroupName, Resource: "roles", IsResourceRequest: true}) - return ec.checkRoleEscalation(ctx, v) - case *rbacv1.RoleBinding: - ctx = request.WithRequestInfo(ctx, &request.RequestInfo{APIGroup: rbacv1.GroupName, Resource: "rolebindings", IsResourceRequest: true}) - return ec.checkRoleBindingEscalation(ctx, v) - case *rbacv1.ClusterRole: - ctx = request.WithRequestInfo(ctx, &request.RequestInfo{APIGroup: rbacv1.GroupName, Resource: "clusterroles", IsResourceRequest: true}) - return ec.checkClusterRoleEscalation(ctx, v) - case *rbacv1.ClusterRoleBinding: - ctx = request.WithRequestInfo(ctx, &request.RequestInfo{APIGroup: rbacv1.GroupName, Resource: "clusterrolebindings", IsResourceRequest: true}) - return ec.checkClusterRoleBindingEscalation(ctx, v) - default: - return fmt.Errorf("unknown object type %T", v) - } -} - -func (ec *escalationChecker) checkClusterRoleEscalation(ctx context.Context, clusterRole *rbacv1.ClusterRole) error { - if rbacregistry.EscalationAllowed(ctx) || rbacregistry.RoleEscalationAuthorized(ctx, ec.authorizer) { - return nil - } - - // to set the aggregation rule, since it can gather anything, requires * on *.* - if hasAggregationRule(clusterRole) { - if err := validation.ConfirmNoEscalation(ctx, ec.ruleResolver, fullAuthority); err != nil { - return fmt.Errorf("must have cluster-admin privileges to use an aggregationRule: %w", err) - } - } - - if err := validation.ConfirmNoEscalation(ctx, ec.ruleResolver, clusterRole.Rules); err != nil { - return err - } - return nil -} - -func (ec *escalationChecker) checkClusterRoleBindingEscalation(ctx context.Context, clusterRoleBinding *rbacv1.ClusterRoleBinding) error { - if rbacregistry.EscalationAllowed(ctx) { - return nil - } - - roleRef := rbacinternal.RoleRef{} - err := rbacv1helpers.Convert_v1_RoleRef_To_rbac_RoleRef(&clusterRoleBinding.RoleRef, &roleRef, nil) - if err != nil { - return err - } - - if rbacregistry.BindingAuthorized(ctx, roleRef, metav1.NamespaceNone, ec.authorizer) { - return nil - } - - rules, err := ec.ruleResolver.GetRoleReferenceRules(ctx, clusterRoleBinding.RoleRef, metav1.NamespaceNone) - if err != nil && !apierrors.IsNotFound(err) { - return err - } - - if clusterRoleBinding.RoleRef.Kind == "ClusterRole" { - if manifestClusterRole, ok := ec.extraClusterRoles[types.NamespacedName{Name: clusterRoleBinding.RoleRef.Name}]; ok { - rules = append(rules, manifestClusterRole.Rules...) - } - } - - if err := validation.ConfirmNoEscalation(ctx, ec.ruleResolver, rules); err != nil { - return err - } - return nil -} - -func (ec *escalationChecker) checkRoleEscalation(ctx context.Context, role *rbacv1.Role) error { - if rbacregistry.EscalationAllowed(ctx) || rbacregistry.RoleEscalationAuthorized(ctx, ec.authorizer) { - return nil - } - - rules := role.Rules - if err := validation.ConfirmNoEscalation(ctx, ec.ruleResolver, rules); err != nil { - return err - } - return nil -} - -func (ec *escalationChecker) checkRoleBindingEscalation(ctx context.Context, roleBinding *rbacv1.RoleBinding) error { - if rbacregistry.EscalationAllowed(ctx) { - return nil - } - - roleRef := rbacinternal.RoleRef{} - err := rbacv1helpers.Convert_v1_RoleRef_To_rbac_RoleRef(&roleBinding.RoleRef, &roleRef, nil) - if err != nil { - return err - } - if rbacregistry.BindingAuthorized(ctx, roleRef, roleBinding.Namespace, ec.authorizer) { - return nil - } - - rules, err := ec.ruleResolver.GetRoleReferenceRules(ctx, roleBinding.RoleRef, roleBinding.Namespace) - if err != nil && !apierrors.IsNotFound(err) { - return err - } - - switch roleRef.Kind { - case "ClusterRole": - if manifestClusterRole, ok := ec.extraClusterRoles[types.NamespacedName{Name: roleBinding.RoleRef.Name}]; ok { - rules = append(rules, manifestClusterRole.Rules...) - } - case "Role": - if manifestRole, ok := ec.extraRoles[types.NamespacedName{Namespace: roleBinding.Namespace, Name: roleBinding.RoleRef.Name}]; ok { - rules = append(rules, manifestRole.Rules...) - } - } - - if err := validation.ConfirmNoEscalation(ctx, ec.ruleResolver, rules); err != nil { - return err - } - return nil -} - -var fullAuthority = []rbacv1.PolicyRule{ - {Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}, - {Verbs: []string{"*"}, NonResourceURLs: []string{"*"}}, -} - -var ( - errRegex = regexp.MustCompile(`(?s)^user ".*" \(groups=.*\) is attempting to grant RBAC permissions not currently held:\n([^;]+)(?:; resolution errors: (.*))?$`) - ruleRegex = regexp.MustCompile(`{([^}]*)}`) - itemRegex = regexp.MustCompile(`"[^"]*"`) -) - -type parseResult struct { - MissingRules []rbacv1.PolicyRule - ResolutionErrors error -} - -// TODO: Investigate replacing this regex parsing with structured error handling once there are -// -// structured RBAC errors introduced by https://github.com/kubernetes/kubernetes/pull/130955. -// -// parseEscalationErrorForMissingRules attempts to extract specific RBAC permissions -// that were denied due to escalation prevention from a given error's text. -// It returns the list of extracted PolicyRules and an error detailing the escalation attempt -// and any resolution errors found. -// Note: If parsing is successful, the returned error is derived from the *input* error's -// message, not an error encountered during the parsing process itself. If parsing fails due to an unexpected -// error format, a distinct parsing error is returned. -func parseEscalationErrorForMissingRules(ecError error) (*parseResult, error) { - var ( - result = &parseResult{} - parseErrors []error - ) - - // errRegex captures the missing permissions and optionally resolution errors from an escalation error message - // Group 1: The list of missing permissions - // Group 2: Optional resolution errors - errString := ecError.Error() - errMatches := errRegex.FindStringSubmatch(errString) // Use FindStringSubmatch for single match expected - - // Check if the main error message pattern was matched and captured the required groups - // We expect at least 3 elements: full match, missing permissions, resolution errors (can be empty) - if len(errMatches) != 3 { - // The error format doesn't match the expected pattern for escalation errors - return &parseResult{}, fmt.Errorf("unexpected format of escalation check error string: %q", errString) - } - missingPermissionsStr := errMatches[1] - if resolutionErrorsStr := errMatches[2]; resolutionErrorsStr != "" { - result.ResolutionErrors = errors.New(resolutionErrorsStr) - } - - // Extract permissions using permRegex from the captured permissions string (Group 1) - for _, rule := range ruleRegex.FindAllString(missingPermissionsStr, -1) { - pr, err := parseCompactRuleString(rule) - if err != nil { - parseErrors = append(parseErrors, err) - continue - } - result.MissingRules = append(result.MissingRules, *pr) - } - // Return the extracted permissions and the constructed error message - return result, errors.Join(parseErrors...) -} - -func parseCompactRuleString(rule string) (*rbacv1.PolicyRule, error) { - var fields []string - if ruleText := rule[1 : len(rule)-1]; ruleText != "" { - fields = mapSlice(strings.Split(ruleText, ","), func(in string) string { - return strings.TrimSpace(in) - }) - } - var pr rbacv1.PolicyRule - for _, item := range fields { - field, valuesStr, ok := strings.Cut(item, ":") - if !ok { - return nil, fmt.Errorf("unexpected item %q: expected :[...]", item) - } - values := mapSlice(itemRegex.FindAllString(valuesStr, -1), func(in string) string { - return strings.Trim(in, `"`) - }) - switch field { - case "APIGroups": - pr.APIGroups = values - case "Resources": - pr.Resources = values - case "ResourceNames": - pr.ResourceNames = values - case "NonResourceURLs": - pr.NonResourceURLs = values - case "Verbs": - pr.Verbs = values - default: - return nil, fmt.Errorf("unexpected item %q: unknown field: %q", item, field) - } - } - return &pr, nil -} - -func hasAggregationRule(clusterRole *rbacv1.ClusterRole) bool { - // Currently, an aggregation rule is considered present only if it has one or more selectors. - // An empty slice of ClusterRoleSelectors means no selectors were provided, - // which does NOT imply "match all." - return clusterRole.AggregationRule != nil && len(clusterRole.AggregationRule.ClusterRoleSelectors) > 0 -} - -func mapSlice[I, O any](in []I, f func(I) O) []O { - out := make([]O, len(in)) - for i := range in { - out[i] = f(in[i]) - } - return out -} - -func toPtrSlice[V any](in []V) []*V { - out := make([]*V, len(in)) - for i := range in { - out[i] = &in[i] - } - return out -} diff --git a/internal/operator-controller/authorization/rbac_test.go b/internal/operator-controller/authorization/rbac_test.go deleted file mode 100644 index 9d80cc52bb..0000000000 --- a/internal/operator-controller/authorization/rbac_test.go +++ /dev/null @@ -1,759 +0,0 @@ -package authorization - -import ( - "context" - "errors" - "fmt" - "strings" - "testing" - - "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - "k8s.io/apimachinery/pkg/api/meta/testrestmapper" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/kubernetes/pkg/registry/rbac/validation" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/fake" -) - -var ( - testManifest = `apiVersion: v1 -kind: Service -metadata: - name: test-service - namespace: test-namespace -spec: - clusterIP: None ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-extension-role - namespace: test-namespace -rules: -- apiGroups: ["*"] - resources: [serviceaccounts] - verbs: [watch] -- apiGroups: ["*"] - resources: [certificates] - verbs: [create] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-extension-binding - namespace: test-namespace -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: test-extension-role -subjects: -- kind: ServiceAccount - name: test-serviceaccount - namespace: test-namespace - ` - - testManifestMultiNamespace = `apiVersion: v1 -kind: Service -metadata: - name: test-service - namespace: test-namespace -spec: - clusterIP: None ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-extension-role - namespace: test-namespace -rules: -- apiGroups: ["*"] - resources: [serviceaccounts] - verbs: [watch] -- apiGroups: ["*"] - resources: [certificates] - verbs: [create] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-extension-binding - namespace: test-namespace -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: test-extension-role -subjects: -- kind: ServiceAccount - name: test-serviceaccount - namespace: test-namespace ---- -kind: Service -metadata: - name: test-service - namespace: a-test-namespace -spec: - clusterIP: None ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-extension-role - namespace: a-test-namespace -rules: -- apiGroups: ["*"] - resources: [serviceaccounts] - verbs: [watch] -- apiGroups: ["*"] - resources: [certificates] - verbs: [create] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-extension-binding - namespace: a-test-namespace -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: test-extension-role -subjects: -- kind: ServiceAccount - name: test-serviceaccount - namespace: a-test-namespace - ` - - saName = "test-serviceaccount" - ns = "test-namespace" - testUser = &user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ns, saName)} - - objects = []client.Object{ - &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-namespace", - }, - }, - &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: "admin-clusterrole-binding", - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: saName, - Namespace: ns, - }, - }, - RoleRef: rbacv1.RoleRef{ - Name: "admin-clusterrole", - Kind: "ClusterRole", - }, - }, - &corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-serviceaccount", - Namespace: "test-namespace", - }, - }, - } - - privilegedClusterRole = &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: "admin-clusterrole", - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"*"}, - Resources: []string{"*"}, - Verbs: []string{"*"}, - }, - }, - } - - limitedClusterRole = &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: "admin-clusterrole", - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{""}, - Verbs: []string{""}, - }, - }, - } - - escalatingClusterRole = &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: "admin-clusterrole", - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"*"}, - Resources: []string{"serviceaccounts", "services"}, - Verbs: []string{"*"}, - }, - { - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles", "clusterroles", "rolebindings", "clusterrolebindings"}, - Verbs: []string{"get", "patch", "watch", "list", "create", "update", "delete", "escalate", "bind"}, - }, - }, - } - - expectedSingleNamespaceMissingRules = []ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil)}, - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil)}, - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil), - }, - }, - }, - { - Namespace: "test-namespace", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{"*"}, - Resources: []string{"certificates"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{""}, - Resources: []string{"services"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string{"test-service"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - ResourceNames: []string{"test-extension-binding"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - ResourceNames: []string{"test-extension-role"}}, - { - Verbs: []string{"watch"}, - APIGroups: []string{"*"}, - Resources: []string{"serviceaccounts"}, - }, - }, - }, - } - - expectedMultiNamespaceMissingRules = []ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil)}, - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil)}, - { - Verbs: []string{"list", "watch"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - ResourceNames: []string(nil), - NonResourceURLs: []string(nil), - }, - }, - }, - { - Namespace: "a-test-namespace", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{"*"}, - Resources: []string{"certificates"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{""}, - Resources: []string{"services"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string{"test-service"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - ResourceNames: []string{"test-extension-binding"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - ResourceNames: []string{"test-extension-role"}}, - { - Verbs: []string{"watch"}, - APIGroups: []string{"*"}, - Resources: []string{"serviceaccounts"}, - }, - }, - }, - { - Namespace: "test-namespace", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{"*"}, - Resources: []string{"certificates"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{""}, - Resources: []string{"services"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}}, - { - Verbs: []string{"create"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{""}, - Resources: []string{"services"}, - ResourceNames: []string{"test-service"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - ResourceNames: []string{"test-extension-binding"}}, - { - Verbs: []string{"delete", "get", "patch", "update"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - ResourceNames: []string{"test-extension-role"}}, - { - Verbs: []string{"watch"}, - APIGroups: []string{"*"}, - Resources: []string{"serviceaccounts"}, - }, - }, - }, - } -) - -func setupFakeClient(role client.Object) client.Client { - s := runtime.NewScheme() - _ = corev1.AddToScheme(s) - _ = rbacv1.AddToScheme(s) - restMapper := testrestmapper.TestOnlyStaticRESTMapper(s) - fakeClientBuilder := fake.NewClientBuilder().WithObjects(append(objects, role)...).WithRESTMapper(restMapper) - return fakeClientBuilder.Build() -} - -func TestPreAuthorize_Success(t *testing.T) { - t.Run("preauthorize succeeds with no missing rbac rules", func(t *testing.T) { - fakeClient := setupFakeClient(privilegedClusterRole) - preAuth := NewRBACPreAuthorizer(fakeClient) - missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest)) - require.NoError(t, err) - require.Equal(t, []ScopedPolicyRules{}, missingRules) - }) -} - -func TestPreAuthorize_MissingRBAC(t *testing.T) { - t.Run("preauthorize fails and finds missing rbac rules", func(t *testing.T) { - fakeClient := setupFakeClient(limitedClusterRole) - preAuth := NewRBACPreAuthorizer(fakeClient) - missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest)) - require.NoError(t, err) - require.Equal(t, expectedSingleNamespaceMissingRules, missingRules) - }) -} - -func TestPreAuthorizeMultiNamespace_MissingRBAC(t *testing.T) { - t.Run("preauthorize fails and finds missing rbac rules in multiple namespaces", func(t *testing.T) { - fakeClient := setupFakeClient(limitedClusterRole) - preAuth := NewRBACPreAuthorizer(fakeClient) - missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifestMultiNamespace)) - require.NoError(t, err) - require.Equal(t, expectedMultiNamespaceMissingRules, missingRules) - }) -} - -func TestPreAuthorize_CheckEscalation(t *testing.T) { - t.Run("preauthorize succeeds with no missing rbac rules", func(t *testing.T) { - fakeClient := setupFakeClient(escalatingClusterRole) - preAuth := NewRBACPreAuthorizer(fakeClient) - missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest)) - require.NoError(t, err) - require.Equal(t, []ScopedPolicyRules{}, missingRules) - }) -} - -func TestPreAuthorize_AdditionalRequiredPerms_MissingRBAC(t *testing.T) { - t.Run("preauthorize fails and finds missing rbac rules coming from the additional required permissions", func(t *testing.T) { - fakeClient := setupFakeClient(escalatingClusterRole) - preAuth := NewRBACPreAuthorizer(fakeClient) - missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest), func(user user.Info) []authorizer.AttributesRecord { - return []authorizer.AttributesRecord{ - { - User: user, - Verb: "create", - APIGroup: corev1.SchemeGroupVersion.Group, - APIVersion: corev1.SchemeGroupVersion.Version, - Resource: "pods", - ResourceRequest: true, - }, - } - }) - require.NoError(t, err) - require.Equal(t, []ScopedPolicyRules{ - { - Namespace: "", - MissingRules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{""}, - Resources: []string{"pods"}, - }, - }, - }, - }, missingRules) - }) -} - -// TestParseEscalationErrorForMissingRules Are tests with respect to https://github.com/kubernetes/api/blob/e8d4d542f6a9a16a694bfc8e3b8cd1557eecfc9d/rbac/v1/types.go#L49-L74 -// Goal is: prove the regex works as planned AND that if the error messages ever change we'll learn about it with these tests -func TestParseEscalationErrorForMissingRules_ParsingLogic(t *testing.T) { - testCases := []struct { - name string - inputError error - expectedResult *parseResult - expectError require.ErrorAssertionFunc - }{ - { - name: "One Missing Resource Rule", - inputError: errors.New(`user "test-user" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:["apps"], Resources:["deployments"], Verbs:["get"]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{"apps"}, Resources: []string{"deployments"}, Verbs: []string{"get"}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Multiple Missing Rules (Resource + NonResource)", - inputError: errors.New(`user "sa" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources:["pods"], Verbs:["list" "watch"]} -{NonResourceURLs:["/healthz"], Verbs:["get"]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"pods"}, Verbs: []string{"list", "watch"}}, - {NonResourceURLs: []string{"/healthz"}, Verbs: []string{"get"}}, - }, - }, - expectError: require.NoError, - }, - { - name: "One Missing Rule with Resolution Errors", - inputError: errors.New(`user "test-admin" (groups=["system:masters"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:["batch"], Resources:["jobs"], Verbs:["create"]}; resolution errors: [role "missing-role" not found]`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{"batch"}, Resources: []string{"jobs"}, Verbs: []string{"create"}}, - }, - ResolutionErrors: errors.New(`[role "missing-role" not found]`), - }, - expectError: require.NoError, - }, - { - name: "Multiple Missing Rules with Resolution Errors", - inputError: errors.New(`user "another-user" (groups=[]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources:["secrets"], Verbs:["get"]} -{APIGroups:[""], Resources:["configmaps"], Verbs:["list"]}; resolution errors: [clusterrole "missing-clusterrole" not found, role "other-missing" not found]`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}}, - {APIGroups: []string{""}, Resources: []string{"configmaps"}, Verbs: []string{"list"}}, - }, - ResolutionErrors: errors.New(`[clusterrole "missing-clusterrole" not found, role "other-missing" not found]`), - }, - expectError: require.NoError, - }, - { - name: "Missing Rule (All Resource Fields)", - inputError: errors.New(`user "resource-name-user" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:["extensions"], Resources:["ingresses"], ResourceNames:["my-ingress"], Verbs:["update" "patch"]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{"extensions"}, Resources: []string{"ingresses"}, ResourceNames: []string{"my-ingress"}, Verbs: []string{"update", "patch"}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Missing Rule (No ResourceNames)", - inputError: errors.New(`user "no-res-name-user" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:["networking.k8s.io"], Resources:["networkpolicies"], Verbs:["watch"]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{"networking.k8s.io"}, Resources: []string{"networkpolicies"}, Verbs: []string{"watch"}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Missing Rule (NonResourceURLs only)", - inputError: errors.New(`user "url-user" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{NonResourceURLs:["/version" "/apis"], Verbs:["get"]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {NonResourceURLs: []string{"/version", "/apis"}, Verbs: []string{"get"}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Unexpected Format", - inputError: errors.New("some completely different error message that doesn't match"), - expectedResult: &parseResult{}, - expectError: func(t require.TestingT, err error, i ...interface{}) { - require.ErrorContains(t, err, "unexpected format of escalation check error string") - }, - }, - { - name: "Empty Permissions String", - inputError: errors.New(`user "empty-perms" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -`), - expectedResult: &parseResult{}, - expectError: func(t require.TestingT, err error, i ...interface{}) { - require.ErrorContains(t, err, "unexpected format of escalation check error string") - }, - }, - { - name: "Rule with Empty Strings in lists", - inputError: errors.New(`user "empty-strings" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:["" "apps"], Resources:["" "deployments"], Verbs:["get" ""]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{"", "apps"}, Resources: []string{"", "deployments"}, Verbs: []string{"get", ""}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Rule with Only Empty Verb", - inputError: errors.New(`user "empty-verb" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources:["pods"], Verbs:[""]}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"pods"}, Verbs: []string{""}}, - }, - }, - expectError: require.NoError, - }, - { - name: "Rule with no fields", - inputError: errors.New(`user "empty-verb" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{}`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{{}}, - }, - expectError: require.NoError, - }, - { - name: "Rule with no colon separator", - inputError: errors.New(`user "empty-verb" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources, Verbs:["get"]} -`), - expectedResult: &parseResult{}, - expectError: func(t require.TestingT, err error, i ...interface{}) { - require.ErrorContains(t, err, `unexpected item "Resources": expected :[...]`) - }, - }, - { - name: "Rule with unknown field", - inputError: errors.New(`user "empty-verb" (groups=["test"]) is attempting to grant RBAC permissions not currently held: -{FooBar:["baz"]} -{APIGroups:[""], Resources:["secrets"], Verbs:["get"]} -`), - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}}, - }, - }, - expectError: func(t require.TestingT, err error, i ...interface{}) { - require.ErrorContains(t, err, `unknown field: "FooBar"`) - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - rules, err := parseEscalationErrorForMissingRules(tc.inputError) - tc.expectError(t, err) - require.Equal(t, tc.expectedResult, rules) - }) - } -} - -func TestParseEscalationErrorForMissingRules_KubernetesCompatibility(t *testing.T) { - testCases := []struct { - name string - ruleResolver validation.AuthorizationRuleResolver - wantRules []rbacv1.PolicyRule - expectedErrorString string - expectedResult *parseResult - }{ - { - name: "missing rules", - ruleResolver: mockRulesResolver{ - rules: []rbacv1.PolicyRule{}, - err: nil, - }, - wantRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}, ResourceNames: []string{"test-secret"}}, - {APIGroups: []string{""}, Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "watch"}}, - {APIGroups: []string{"apps"}, Resources: []string{"deployments", "replicasets"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {NonResourceURLs: []string{"/healthz", "/livez"}, Verbs: []string{"get", "post"}}, - }, - expectedErrorString: `user "user" (groups=["a" "b"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources:["configmaps"], Verbs:["get" "list" "watch"]} -{APIGroups:[""], Resources:["secrets"], ResourceNames:["test-secret"], Verbs:["get"]} -{APIGroups:["apps"], Resources:["deployments"], Verbs:["create" "update" "patch" "delete"]} -{APIGroups:["apps"], Resources:["replicasets"], Verbs:["create" "update" "patch" "delete"]} -{NonResourceURLs:["/healthz"], Verbs:["get"]} -{NonResourceURLs:["/healthz"], Verbs:["post"]} -{NonResourceURLs:["/livez"], Verbs:["get"]} -{NonResourceURLs:["/livez"], Verbs:["post"]}`, - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "watch"}}, - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}, ResourceNames: []string{"test-secret"}}, - {APIGroups: []string{"apps"}, Resources: []string{"deployments"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {APIGroups: []string{"apps"}, Resources: []string{"replicasets"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {NonResourceURLs: []string{"/healthz"}, Verbs: []string{"get"}}, - {NonResourceURLs: []string{"/healthz"}, Verbs: []string{"post"}}, - {NonResourceURLs: []string{"/livez"}, Verbs: []string{"get"}}, - {NonResourceURLs: []string{"/livez"}, Verbs: []string{"post"}}, - }, - }, - }, - { - name: "resolution failure", - ruleResolver: mockRulesResolver{ - rules: []rbacv1.PolicyRule{}, - err: errors.New("resolution error"), - }, - wantRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}, ResourceNames: []string{"test-secret"}}, - {APIGroups: []string{""}, Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "watch"}}, - {APIGroups: []string{"apps"}, Resources: []string{"deployments", "replicasets"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {NonResourceURLs: []string{"/healthz", "/livez"}, Verbs: []string{"get", "post"}}, - }, - expectedErrorString: `user "user" (groups=["a" "b"]) is attempting to grant RBAC permissions not currently held: -{APIGroups:[""], Resources:["configmaps"], Verbs:["get" "list" "watch"]} -{APIGroups:[""], Resources:["secrets"], ResourceNames:["test-secret"], Verbs:["get"]} -{APIGroups:["apps"], Resources:["deployments"], Verbs:["create" "update" "patch" "delete"]} -{APIGroups:["apps"], Resources:["replicasets"], Verbs:["create" "update" "patch" "delete"]} -{NonResourceURLs:["/healthz"], Verbs:["get"]} -{NonResourceURLs:["/healthz"], Verbs:["post"]} -{NonResourceURLs:["/livez"], Verbs:["get"]} -{NonResourceURLs:["/livez"], Verbs:["post"]}; resolution errors: [resolution error]`, - expectedResult: &parseResult{ - MissingRules: []rbacv1.PolicyRule{ - {APIGroups: []string{""}, Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "watch"}}, - {APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}, ResourceNames: []string{"test-secret"}}, - {APIGroups: []string{"apps"}, Resources: []string{"deployments"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {APIGroups: []string{"apps"}, Resources: []string{"replicasets"}, Verbs: []string{"create", "update", "patch", "delete"}}, - {NonResourceURLs: []string{"/healthz"}, Verbs: []string{"get"}}, - {NonResourceURLs: []string{"/healthz"}, Verbs: []string{"post"}}, - {NonResourceURLs: []string{"/livez"}, Verbs: []string{"get"}}, - {NonResourceURLs: []string{"/livez"}, Verbs: []string{"post"}}, - }, - ResolutionErrors: errors.New("[resolution error]"), - }, - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - ctx := request.WithUser(request.WithNamespace(context.Background(), "namespace"), &user.DefaultInfo{ - Name: "user", - Groups: []string{"a", "b"}, - }) - - // Let's actually call the upstream function that generates and returns the - // error message that we are attempting to parse correctly. The hope is that - // these tests will start failing if we bump to a new version of kubernetes - // that causes our parsing logic to be incorrect. - err := validation.ConfirmNoEscalation(ctx, tc.ruleResolver, tc.wantRules) - require.Error(t, err) - require.Equal(t, tc.expectedErrorString, err.Error()) - - res, err := parseEscalationErrorForMissingRules(err) - require.NoError(t, err) - require.Equal(t, tc.expectedResult, res) - }) - } -} - -type mockRulesResolver struct { - rules []rbacv1.PolicyRule - err error -} - -func (m mockRulesResolver) GetRoleReferenceRules(ctx context.Context, roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error) { - panic("unimplemented") -} - -func (m mockRulesResolver) RulesFor(ctx context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { - return m.rules, m.err -} - -func (m mockRulesResolver) VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { - panic("unimplemented") -} diff --git a/internal/operator-controller/config/config.go b/internal/operator-controller/config/config.go index afb89dff58..3bf5f3200d 100644 --- a/internal/operator-controller/config/config.go +++ b/internal/operator-controller/config/config.go @@ -41,13 +41,6 @@ const ( // configSchemaID is a name we use to identify the config schema when compiling it. // Think of it like a file name - it just needs to be consistent. configSchemaID = "config-schema.json" - - // FormatOwnNamespaceInstallMode defines the format check to ensure that - // the watchNamespace must equal install namespace - FormatOwnNamespaceInstallMode = "ownNamespaceInstallMode" - // FormatSingleNamespaceInstallMode defines the format check to ensure that - // the watchNamespace must differ from install namespace - FormatSingleNamespaceInstallMode = "singleNamespaceInstallMode" ) // DeploymentConfig is a type alias for v1alpha1.SubscriptionConfig @@ -85,26 +78,6 @@ func newConfig(data map[string]any) *Config { return &cfg } -// GetWatchNamespace returns the watchNamespace value if present in the configuration. -// Returns nil if watchNamespace is not set or is explicitly set to null. -func (c *Config) GetWatchNamespace() *string { - if c == nil || *c == nil { - return nil - } - val, exists := (*c)["watchNamespace"] - if !exists { - return nil - } - // User set watchNamespace: null - treat as "not configured" - if val == nil { - return nil - } - // Convert value to string. Schema validation ensures this is a string, - // but fmt.Sprintf handles edge cases defensively. - str := fmt.Sprintf("%v", val) - return &str -} - // GetDeploymentConfig returns the deploymentConfig value if present in the configuration. // Returns nil if deploymentConfig is not set or is explicitly set to null. // The returned value is a generic map[string]any that can be marshaled to JSON @@ -157,13 +130,7 @@ func (c *Config) GetDeploymentConfig() map[string]any { // Parameters: // - bytes: the user's configuration in YAML or JSON. If nil, we treat it as empty ({}) // - schema: describes what configuration is valid. If nil, we skip validation -// - installNamespace: the namespace where the operator will be installed. We use this -// to validate namespace constraints (e.g., OwnNamespace mode requires watchNamespace -// to equal installNamespace) -// -// If the user doesn't provide any configuration but the package format type requires some fields -// (like watchNamespace), validation will fail with a helpful error. -func UnmarshalConfig(bytes []byte, schema map[string]any, installNamespace string) (*Config, error) { +func UnmarshalConfig(bytes []byte, schema map[string]any) (*Config, error) { // nil config becomes {} so we can validate required fields if bytes == nil { bytes = []byte("{}") @@ -171,7 +138,7 @@ func UnmarshalConfig(bytes []byte, schema map[string]any, installNamespace strin // Step 1: Validate against the schema if provided if schema != nil { - if err := validateConfigWithSchema(bytes, schema, installNamespace); err != nil { + if err := validateConfigWithSchema(bytes, schema); err != nil { return nil, fmt.Errorf("invalid configuration: %w", err) } } @@ -188,11 +155,7 @@ func UnmarshalConfig(bytes []byte, schema map[string]any, installNamespace strin } // validateConfigWithSchema checks if the user's config matches the schema. -// -// We create a fresh validator each time because the namespace constraints depend on -// which namespace this specific ClusterExtension is being installed into. Each -// ClusterExtension might have a different installNamespace, so we can't reuse validators. -func validateConfigWithSchema(configBytes []byte, schema map[string]any, installNamespace string) error { +func validateConfigWithSchema(configBytes []byte, schema map[string]any) error { var configData interface{} if err := yaml.Unmarshal(configBytes, &configData); err != nil { return formatUnmarshalError(err) @@ -200,47 +163,6 @@ func validateConfigWithSchema(configBytes []byte, schema map[string]any, install compiler := jsonschema.NewCompiler() - compiler.RegisterFormat(&jsonschema.Format{ - Name: FormatOwnNamespaceInstallMode, - Validate: func(value interface{}) error { - // Check it equals install namespace (if installNamespace is set) - // If installNamespace is empty, we can't validate the constraint properly, - // so we skip validation and accept any value. This is a fallback for edge - // cases where the install namespace isn't known yet. - if installNamespace == "" { - return nil - } - str, ok := value.(string) - if !ok { - return fmt.Errorf("value must be a string") - } - if str != installNamespace { - return fmt.Errorf("invalid value %q: must be %q (the namespace where the operator is installed) because this operator only supports OwnNamespace install mode", str, installNamespace) - } - return nil - }, - }) - compiler.RegisterFormat(&jsonschema.Format{ - Name: FormatSingleNamespaceInstallMode, - Validate: func(value interface{}) error { - // Check it does NOT equal install namespace (if installNamespace is set) - // If installNamespace is empty, we can't validate the constraint properly, - // so we skip validation and accept any value. This is a fallback for edge - // cases where the install namespace isn't known yet. - if installNamespace == "" { - return nil - } - str, ok := value.(string) - if !ok { - return fmt.Errorf("value must be a string") - } - if str == installNamespace { - return fmt.Errorf("invalid value %q: must be different from %q (the install namespace) because this operator uses SingleNamespace install mode to watch a different namespace", str, installNamespace) - } - return nil - }, - }) - if err := compiler.AddResource(configSchemaID, schema); err != nil { return fmt.Errorf("failed to load schema: %w", err) } @@ -380,7 +302,7 @@ func formatSingleError(errUnit jsonschema.OutputUnit) string { } // extractFieldNameFromMessage extracts the field name from error messages. -// Example: "missing property 'watchNamespace'" -> "watchNamespace" +// Example: "missing property 'requiredField'" -> "requiredField" // Example: "additional properties 'unknownField' not allowed" -> "unknownField" func extractFieldNameFromMessage(errOutput *jsonschema.OutputError) string { if errOutput == nil { @@ -400,10 +322,10 @@ func extractFieldNameFromMessage(errOutput *jsonschema.OutputError) string { } // buildFieldPath constructs a field path from instance location array. -// Example: ["watchNamespace"] -> "watchNamespace" +// Example: ["fieldName"] -> "fieldName" // Example: ["spec", "namespace"] -> "spec.namespace" func buildFieldPath(location string) string { - // Instance location comes as a JSON pointer like "/watchNamespace" + // Instance location comes as a JSON pointer like "/fieldName" if location == "" || location == "/" { return "" } diff --git a/internal/operator-controller/config/config_test.go b/internal/operator-controller/config/config_test.go index 1e451cf5c9..6785bd5575 100644 --- a/internal/operator-controller/config/config_test.go +++ b/internal/operator-controller/config/config_test.go @@ -5,9 +5,6 @@ import ( "testing" "github.com/stretchr/testify/require" - "k8s.io/utils/ptr" - - "github.com/operator-framework/api/pkg/operators/v1alpha1" "github.com/operator-framework/operator-controller/internal/operator-controller/config" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle" @@ -16,66 +13,39 @@ import ( func Test_UnmarshalConfig(t *testing.T) { for _, tc := range []struct { - name string - rawConfig []byte - supportedInstallModes []v1alpha1.InstallModeType - installNamespace string - expectedErrMessage string - expectedWatchNamespace *string // Expected value from GetWatchNamespace() + name string + rawConfig []byte + expectedErrMessage string }{ { - name: "accepts nil config when AllNamespaces is supported", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces}, - rawConfig: nil, - expectedWatchNamespace: nil, - }, - { - name: "rejects nil config when OwnNamespace-only requires watchNamespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: nil, - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects nil config when SingleNamespace-only requires watchNamespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: nil, - expectedErrMessage: `required field "watchNamespace" is missing`, + name: "accepts nil config", + rawConfig: nil, }, { - name: "accepts json config", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "install-ns", // SingleNamespace requires watchNamespace != installNamespace - expectedWatchNamespace: ptr.To("some-namespace"), + name: "accepts empty config", + rawConfig: []byte(`{}`), }, { - name: "accepts yaml config", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`watchNamespace: some-namespace`), - installNamespace: "install-ns", // SingleNamespace requires watchNamespace != installNamespace - expectedWatchNamespace: ptr.To("some-namespace"), + name: "accepts json config with deploymentConfig", + rawConfig: []byte(`{"deploymentConfig": {"env": [{"name": "FOO", "value": "bar"}]}}`), }, { - name: "rejects invalid json", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"hello`), - expectedErrMessage: `invalid configuration: found unexpected end of stream`, + name: "rejects invalid json", + rawConfig: []byte(`{"hello`), + expectedErrMessage: `invalid configuration: found unexpected end of stream`, }, { - name: "rejects valid json that isn't of object type", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`true`), - expectedErrMessage: `got boolean, want object`, + name: "rejects valid json that isn't of object type", + rawConfig: []byte(`true`), + expectedErrMessage: `got boolean, want object`, }, { - name: "rejects additional fields", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces}, - rawConfig: []byte(`somekey: somevalue`), - expectedErrMessage: `unknown field "somekey"`, + name: "rejects additional fields", + rawConfig: []byte(`somekey: somevalue`), + expectedErrMessage: `unknown field "somekey"`, }, { - name: "rejects selector field in deploymentConfig (v0 field not supported in v1)", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces}, + name: "rejects selector field in deploymentConfig (v0 field not supported in v1)", rawConfig: []byte(`{ "deploymentConfig": { "selector": { @@ -87,235 +57,24 @@ func Test_UnmarshalConfig(t *testing.T) { }`), expectedErrMessage: `unknown field "selector"`, }, - { - name: "rejects valid json but invalid registry+v1", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": {"hello": "there"}}`), - expectedErrMessage: `got object, want string`, - }, - { - name: "rejects with unknown field when install modes {AllNamespaces}", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - expectedErrMessage: `unknown field "watchNamespace"`, - }, - { - name: "rejects with unknown field when install modes {MultiNamespace}", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - expectedErrMessage: `unknown field "watchNamespace"`, - }, - { - name: "reject with unknown field when install modes {AllNamespaces, MultiNamespace}", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - expectedErrMessage: `unknown field "watchNamespace"`, - }, - { - name: "reject with required field when install modes {OwnNamespace} and watchNamespace is null", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "reject with required field when install modes {OwnNamespace} and watchNamespace is missing", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{}`), - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "reject with required field when install modes {MultiNamespace, OwnNamespace} and watchNamespace is null", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeMultiNamespace, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "reject with required field when install modes {MultiNamespace, OwnNamespace} and watchNamespace is missing", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeMultiNamespace, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{}`), - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "accepts when install modes {SingleNamespace} and watchNamespace != install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "install-ns", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "accepts when install modes {AllNamespaces, SingleNamespace} and watchNamespace != install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "install-ns", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "accepts when install modes {MultiNamespace, SingleNamespace} and watchNamespace != install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeMultiNamespace, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "install-ns", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "accepts when install modes {OwnNamespace, SingleNamespace} and watchNamespace != install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "not-namespace", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "rejects when install modes {SingleNamespace} and watchNamespace == install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "some-namespace", - expectedErrMessage: "invalid configuration:", - }, - { - name: "rejects when install modes {AllNamespaces, SingleNamespace} and watchNamespace == install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "some-namespace", - expectedErrMessage: "invalid configuration:", - }, - { - name: "rejects when install modes {MultiNamespace, SingleNamespace} and watchNamespace == install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeMultiNamespace, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "some-namespace", - expectedErrMessage: "invalid configuration:", - }, - { - name: "accepts when install modes {AllNamespaces, OwnNamespace} and watchNamespace == install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "some-namespace", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "accepts when install modes {OwnNamespace, SingleNamespace} and watchNamespace == install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace, v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "some-namespace", - expectedWatchNamespace: ptr.To("some-namespace"), - }, - { - name: "rejects when install modes {AllNamespaces, OwnNamespace} and watchNamespace != install namespace", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": "some-namespace"}`), - installNamespace: "not-some-namespace", - expectedErrMessage: "invalid configuration:", - }, - { - name: "rejects with required field error when install modes {SingleNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace, OwnNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace, MultiNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace} and watchNamespace is missing", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - rawConfig: []byte(`{}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace, OwnNamespace} and watchNamespace is missing", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace, MultiNamespace} and watchNamespace is missing", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "rejects with required field error when install modes {SingleNamespace, OwnNamespace, MultiNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeOwnNamespace, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedErrMessage: `required field "watchNamespace" is missing`, - }, - { - name: "accepts null watchNamespace when install modes {AllNamespaces, OwnNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedWatchNamespace: nil, - }, - { - name: "accepts null watchNamespace when install modes {AllNamespaces, OwnNamespace, MultiNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{"watchNamespace": null}`), - installNamespace: "not-some-namespace", - expectedWatchNamespace: nil, - }, - { - name: "accepts no watchNamespace when install modes {AllNamespaces, OwnNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{}`), - installNamespace: "not-some-namespace", - expectedWatchNamespace: nil, - }, - { - name: "accepts no watchNamespace when install modes {AllNamespaces, OwnNamespace, MultiNamespace} and watchNamespace is nil", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeOwnNamespace, v1alpha1.InstallModeTypeMultiNamespace}, - rawConfig: []byte(`{}`), - installNamespace: "not-some-namespace", - expectedWatchNamespace: nil, - }, - { - name: "skips validation when installNamespace is empty for OwnNamespace only", - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - rawConfig: []byte(`{"watchNamespace": "valid-ns"}`), - installNamespace: "", - expectedWatchNamespace: ptr.To("valid-ns"), - }, } { t.Run(tc.name, func(t *testing.T) { - var rv1 bundle.RegistryV1 - if tc.supportedInstallModes != nil { - rv1 = bundle.RegistryV1{ - CSV: clusterserviceversion.Builder(). - WithName("test-operator"). - WithInstallModeSupportFor(tc.supportedInstallModes...). - Build(), - } + rv1 := bundle.RegistryV1{ + CSV: clusterserviceversion.Builder(). + WithName("test-operator"). + Build(), } schema, err := rv1.GetConfigSchema() require.NoError(t, err) - cfg, err := config.UnmarshalConfig(tc.rawConfig, schema, tc.installNamespace) + cfg, err := config.UnmarshalConfig(tc.rawConfig, schema) if tc.expectedErrMessage != "" { require.Error(t, err) require.Contains(t, err.Error(), tc.expectedErrMessage) } else { require.NoError(t, err) require.NotNil(t, cfg) - if tc.expectedWatchNamespace == nil { - require.Nil(t, cfg.GetWatchNamespace()) - } else { - require.Equal(t, *tc.expectedWatchNamespace, *cfg.GetWatchNamespace()) - } } }) } @@ -324,30 +83,21 @@ func Test_UnmarshalConfig(t *testing.T) { // Test_UnmarshalConfig_EmptySchema tests when a ClusterExtension doesn't provide a configuration schema. func Test_UnmarshalConfig_EmptySchema(t *testing.T) { for _, tc := range []struct { - name string - rawConfig []byte - expectedErrMessage string - expectedWatchNamespace *string + name string + rawConfig []byte + expectedErrMessage string }{ { - name: "no config provided", - rawConfig: nil, - expectedWatchNamespace: nil, - }, - { - name: "empty config provided", - rawConfig: []byte(`{}`), - expectedWatchNamespace: nil, + name: "no config provided", + rawConfig: nil, }, { - name: "config with watchNamespace provided", - rawConfig: []byte(`{"watchNamespace": "some-ns"}`), - expectedWatchNamespace: ptr.To("some-ns"), + name: "empty config provided", + rawConfig: []byte(`{}`), }, { - name: "config with unknown fields provided", - rawConfig: []byte(`{"someField": "someValue"}`), - expectedWatchNamespace: nil, + name: "config with unknown fields provided", + rawConfig: []byte(`{"someField": "someValue"}`), }, } { t.Run(tc.name, func(t *testing.T) { @@ -355,7 +105,7 @@ func Test_UnmarshalConfig_EmptySchema(t *testing.T) { schema, err := noSchemaBundle.GetConfigSchema() require.NoError(t, err) - config, err := config.UnmarshalConfig(tc.rawConfig, schema, "my-namespace") + config, err := config.UnmarshalConfig(tc.rawConfig, schema) if tc.expectedErrMessage != "" { require.Error(t, err) @@ -363,11 +113,6 @@ func Test_UnmarshalConfig_EmptySchema(t *testing.T) { } else { require.NoError(t, err) require.NotNil(t, config) - if tc.expectedWatchNamespace == nil { - require.Nil(t, config.GetWatchNamespace()) - } else { - require.Equal(t, *tc.expectedWatchNamespace, *config.GetWatchNamespace()) - } } }) } @@ -375,21 +120,20 @@ func Test_UnmarshalConfig_EmptySchema(t *testing.T) { // Test_UnmarshalConfig_HelmLike proves validation works the same for ANY package format type. // -// - registry+v1 -> generates schema from install modes +// - registry+v1 -> generates schema from bundle // - Helm -> reads values.schema.json from chart // - registry+v2 -> (future) provides schema via its own mechanism // // Same validation process regardless of package format type. func Test_UnmarshalConfig_HelmLike(t *testing.T) { for _, tc := range []struct { - name string - rawConfig []byte - helmSchema string // what values.schema.json would contain - expectedErrMessage string - expectedWatchNamespace *string + name string + rawConfig []byte + helmSchema string // what values.schema.json would contain + expectedErrMessage string }{ { - name: "Helm chart with typical config values (no watchNamespace)", + name: "Helm chart with typical config values", rawConfig: []byte(`{ "replicaCount": 3, "image": {"tag": "v1.2.3"}, @@ -414,26 +158,6 @@ func Test_UnmarshalConfig_HelmLike(t *testing.T) { } } }`, - expectedWatchNamespace: nil, - }, - { - name: "Helm chart that ALSO uses watchNamespace (mixed config)", - rawConfig: []byte(`{ - "watchNamespace": "my-app-namespace", - "replicaCount": 2, - "debug": true - }`), - helmSchema: `{ - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "properties": { - "watchNamespace": {"type": "string"}, - "replicaCount": {"type": "integer"}, - "debug": {"type": "boolean"} - } - }`, - // watchNamespace gets extracted, other fields validated by schema - expectedWatchNamespace: ptr.To("my-app-namespace"), }, { name: "Schema validation catches constraint violations (replicaCount below minimum)", @@ -469,7 +193,6 @@ func Test_UnmarshalConfig_HelmLike(t *testing.T) { "replicaCount": {"type": "integer", "default": 1} } }`, - expectedWatchNamespace: nil, }, { name: "Required fields are enforced by schema", @@ -485,52 +208,6 @@ func Test_UnmarshalConfig_HelmLike(t *testing.T) { }`, expectedErrMessage: `required field "requiredField" is missing`, }, - { - name: "Helm with watchNamespace accepts any string value (K8s validates at runtime)", - rawConfig: []byte(`{ - "watchNamespace": "any-value-here", - "replicaCount": 2 - }`), - helmSchema: `{ - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "properties": { - "watchNamespace": {"type": "string"}, - "replicaCount": {"type": "integer"} - } - }`, - expectedWatchNamespace: ptr.To("any-value-here"), - }, - { - name: "Helm with watchNamespace using ownNamespaceInstallMode format (OwnNamespace-like)", - rawConfig: []byte(`{ - "watchNamespace": "wrong-namespace" - }`), - helmSchema: `{ - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "required": ["watchNamespace"], - "properties": { - "watchNamespace": {"type": "string", "format": "ownNamespaceInstallMode"} - } - }`, - expectedErrMessage: "invalid configuration:", - }, - { - name: "Helm with watchNamespace using singleNamespaceInstallMode format (SingleNamespace-like)", - rawConfig: []byte(`{ - "watchNamespace": "my-namespace" - }`), - helmSchema: `{ - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "required": ["watchNamespace"], - "properties": { - "watchNamespace": {"type": "string", "format": "singleNamespaceInstallMode"} - } - }`, - expectedErrMessage: "invalid configuration:", - }, } { t.Run(tc.name, func(t *testing.T) { // Create a mock Helm package (real Helm would read values.schema.json) @@ -539,7 +216,7 @@ func Test_UnmarshalConfig_HelmLike(t *testing.T) { require.NoError(t, err) // Same validation function works for Helm, registry+v1, registry+v2, etc. - config, err := config.UnmarshalConfig(tc.rawConfig, schema, "my-namespace") + config, err := config.UnmarshalConfig(tc.rawConfig, schema) if tc.expectedErrMessage != "" { require.Error(t, err) @@ -547,11 +224,6 @@ func Test_UnmarshalConfig_HelmLike(t *testing.T) { } else { require.NoError(t, err) require.NotNil(t, config) - if tc.expectedWatchNamespace == nil { - require.Nil(t, config.GetWatchNamespace()) - } else { - require.Equal(t, *tc.expectedWatchNamespace, *config.GetWatchNamespace()) - } } }) } @@ -606,7 +278,7 @@ func Test_GetDeploymentConfig(t *testing.T) { }, { name: "config without deploymentConfig field returns nil", - rawConfig: []byte(`{"watchNamespace": "test-ns"}`), + rawConfig: []byte(`{"someField": "test-ns"}`), expectedDeploymentConfigNil: true, }, { @@ -647,7 +319,7 @@ func Test_GetDeploymentConfig(t *testing.T) { schema, err := bundle.GetConfigSchema() require.NoError(t, err) - cfg, err := config.UnmarshalConfig(tt.rawConfig, schema, "") + cfg, err := config.UnmarshalConfig(tt.rawConfig, schema) require.NoError(t, err) result := cfg.GetDeploymentConfig() @@ -680,7 +352,7 @@ func Test_GetDeploymentConfig(t *testing.T) { schema, err := bundle.GetConfigSchema() require.NoError(t, err) - cfg, err := config.UnmarshalConfig(rawConfig, schema, "") + cfg, err := config.UnmarshalConfig(rawConfig, schema) require.NoError(t, err) // Get the deploymentConfig diff --git a/internal/operator-controller/config/error_formatting_test.go b/internal/operator-controller/config/error_formatting_test.go index 6ec1ebf7de..800b3fb14c 100644 --- a/internal/operator-controller/config/error_formatting_test.go +++ b/internal/operator-controller/config/error_formatting_test.go @@ -1,122 +1,42 @@ package config_test import ( - "strings" "testing" "github.com/stretchr/testify/require" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/operator-framework/operator-controller/internal/operator-controller/config" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle" "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util/testing/clusterserviceversion" ) // Test_ErrorFormatting_SchemaLibraryVersion verifies error messages from the JSON schema -// library and our custom format validators. +// library. // // These tests serve two purposes: // 1. Guard against breaking changes if we upgrade github.com/santhosh-tekuri/jsonschema/v6 // (tests for formatSchemaError parsing may need updates) -// 2. Document the actual error messages end users see (especially for namespace constraints) +// 2. Document the actual error messages end users see func Test_ErrorFormatting_SchemaLibraryVersion(t *testing.T) { for _, tc := range []struct { name string rawConfig []byte - supportedInstallModes []v1alpha1.InstallModeType - installNamespace string - // We verify the error message contains these key phrases expectedErrSubstrings []string }{ { - name: "Unknown field error formatting", - rawConfig: []byte(`{"unknownField": "value"}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeAllNamespaces}, + name: "Unknown field error formatting", + rawConfig: []byte(`{"unknownField": "value"}`), expectedErrSubstrings: []string{ "unknown field", "unknownField", }, }, { - name: "Required field missing error formatting", - rawConfig: []byte(`{}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - expectedErrSubstrings: []string{ - "required field", - "watchNamespace", - "is missing", - }, - }, - { - name: "Required field null error formatting", - rawConfig: []byte(`{"watchNamespace": null}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - expectedErrSubstrings: []string{ - "required field", - "watchNamespace", - "is missing", - }, - }, - { - name: "Type mismatch error formatting", - rawConfig: []byte(`{"watchNamespace": 123}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, + name: "Type mismatch error formatting for deploymentConfig", + rawConfig: []byte(`{"deploymentConfig": "not-an-object"}`), expectedErrSubstrings: []string{ "invalid type", - "watchNamespace", - }, - }, - { - name: "OwnNamespace constraint error formatting", - rawConfig: []byte(`{"watchNamespace": "wrong-namespace"}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeOwnNamespace}, - installNamespace: "correct-namespace", - expectedErrSubstrings: []string{ - "invalid format for field \"watchNamespace\"", - "invalid value", - "wrong-namespace", - "correct-namespace", - "the namespace where the operator is installed", - "OwnNamespace install mode", - }, - }, - { - name: "SingleNamespace constraint error formatting", - rawConfig: []byte(`{"watchNamespace": "install-ns"}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - installNamespace: "install-ns", - expectedErrSubstrings: []string{ - "invalid format for field \"watchNamespace\"", - "not valid singleNamespaceInstallMode", - "invalid value", - "install-ns", - "must be different from", - "the install namespace", - "SingleNamespace install mode", - "watch a different namespace", - }, - }, - { - name: "SingleNamespace constraint error bad namespace format", - rawConfig: []byte(`{"watchNamespace": "---AAAA-BBBB-super-long-namespace-that-that-is-waaaaaaaaayyy-longer-than-sixty-three-characters"}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace}, - installNamespace: "install-ns", - expectedErrSubstrings: []string{ - "field \"watchNamespace\"", - "must match pattern \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\"", - }, - }, - { - name: "Single- and OwnNamespace constraint error bad namespace format", - rawConfig: []byte(`{"watchNamespace": ` + strings.Repeat("A", 63) + `"}`), - supportedInstallModes: []v1alpha1.InstallModeType{v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeOwnNamespace}, - installNamespace: "install-ns", - expectedErrSubstrings: []string{ - "invalid configuration", - "multiple errors found", - "must have maximum length of 63 (len=64)", - "must match pattern \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\"", + "deploymentConfig", }, }, } { @@ -124,14 +44,13 @@ func Test_ErrorFormatting_SchemaLibraryVersion(t *testing.T) { rv1 := bundle.RegistryV1{ CSV: clusterserviceversion.Builder(). WithName("test-operator"). - WithInstallModeSupportFor(tc.supportedInstallModes...). Build(), } schema, err := rv1.GetConfigSchema() require.NoError(t, err) - _, err = config.UnmarshalConfig(tc.rawConfig, schema, tc.installNamespace) + _, err = config.UnmarshalConfig(tc.rawConfig, schema) require.Error(t, err, "Expected validation error") errMsg := err.Error() @@ -165,28 +84,18 @@ func Test_ErrorFormatting_YAMLParseErrors(t *testing.T) { "got boolean, want object", }, }, - { - name: "Wrong type for field", - rawConfig: []byte(`{"watchNamespace": {"nested": "object"}}`), - expectedErrSubstrings: []string{ - "invalid type", - "got object, want string", - "watchNamespace", - }, - }, } { t.Run(tc.name, func(t *testing.T) { rv1 := bundle.RegistryV1{ CSV: clusterserviceversion.Builder(). WithName("test-operator"). - WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace). Build(), } schema, err := rv1.GetConfigSchema() require.NoError(t, err) - _, err = config.UnmarshalConfig(tc.rawConfig, schema, "test-namespace") + _, err = config.UnmarshalConfig(tc.rawConfig, schema) require.Error(t, err, "Expected parse error") errMsg := err.Error() diff --git a/internal/operator-controller/contentmanager/contentmanager.go b/internal/operator-controller/contentmanager/contentmanager.go index d488bdb535..a50e6f3a5b 100644 --- a/internal/operator-controller/contentmanager/contentmanager.go +++ b/internal/operator-controller/contentmanager/contentmanager.go @@ -2,48 +2,57 @@ package contentmanager import ( "context" + "errors" "fmt" + "io" "sync" "time" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/dynamic" "k8s.io/client-go/dynamic/dynamicinformer" "k8s.io/client-go/rest" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" ocv1 "github.com/operator-framework/operator-controller/api/v1" cmcache "github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager/cache" oclabels "github.com/operator-framework/operator-controller/internal/operator-controller/labels" ) -// Manager is a utility to manage content caches belonging -// to ClusterExtensions +// Manager watches managed content objects across all ClusterExtensions +// using a single set of shared informers with a broad label selector. type Manager interface { - // Get returns a managed content cache for the provided - // ClusterExtension if one exists. If one does not exist, - // a new Cache is created and returned - Get(context.Context, *ocv1.ClusterExtension) (cmcache.Cache, error) - // Delete will stop and remove a managed content cache - // for the provided ClusterExtension if one exists. - Delete(*ocv1.ClusterExtension) error + io.Closer + // Watch ensures informers are running for the GVKs of all provided objects, + // tracked under the given ClusterExtension name. GVKs no longer needed by + // this CE (present in a previous Watch call but absent now) are released, + // and their informers are stopped if no other CE still needs them. + // Informers use a label selector matching all ClusterExtension-owned objects, + // and event routing to the correct CE is handled by owner references. + Watch(ctx context.Context, ceName string, watcher cmcache.Watcher, objs ...client.Object) error + // Delete removes all GVK tracking for the given ClusterExtension and stops + // any informers that are no longer needed by any remaining CE. + Delete(ctx context.Context, ceName string) } -type RestConfigMapper func(context.Context, client.Object, *rest.Config) (*rest.Config, error) - -// managerImpl is an implementation of the Manager interface type managerImpl struct { - rcm RestConfigMapper - baseCfg *rest.Config - caches map[string]cmcache.Cache - mapper meta.RESTMapper - mu *sync.Mutex + sourcerer sourcerer + sources map[schema.GroupVersionKind]cmcache.CloserSyncingSource + ceGVKs map[string]sets.Set[schema.GroupVersionKind] // per-CE GVK tracking + mu sync.Mutex syncTimeout time.Duration resyncPeriod time.Duration } +type sourcerer interface { + Source(schema.GroupVersionKind, client.Object, func(context.Context)) (cmcache.CloserSyncingSource, error) +} + type ManagerOption func(*managerImpl) // WithSyncTimeout configures the time spent waiting @@ -62,14 +71,12 @@ func WithResyncPeriod(t time.Duration) ManagerOption { } } -// NewManager creates a new Manager -func NewManager(rcm RestConfigMapper, cfg *rest.Config, mapper meta.RESTMapper, opts ...ManagerOption) Manager { +// NewManager creates a new Manager that uses a single dynamic client and +// shared informers to watch all ClusterExtension-managed objects. +func NewManager(cfg *rest.Config, mapper meta.RESTMapper, opts ...ManagerOption) (Manager, error) { m := &managerImpl{ - rcm: rcm, - baseCfg: cfg, - caches: make(map[string]cmcache.Cache), - mapper: mapper, - mu: &sync.Mutex{}, + sources: make(map[schema.GroupVersionKind]cmcache.CloserSyncingSource), + ceGVKs: make(map[string]sets.Set[schema.GroupVersionKind]), syncTimeout: time.Second * 10, resyncPeriod: time.Hour * 10, } @@ -78,70 +85,156 @@ func NewManager(rcm RestConfigMapper, cfg *rest.Config, mapper meta.RESTMapper, opt(m) } - return m -} - -// Get returns a Cache for the provided ClusterExtension. -// If a cache does not already exist, a new one will be created. -// If a nil ClusterExtension is provided this function will panic. -func (i *managerImpl) Get(ctx context.Context, ce *ocv1.ClusterExtension) (cmcache.Cache, error) { - if ce == nil { - panic("nil ClusterExtension provided") - } - - i.mu.Lock() - defer i.mu.Unlock() - cache, ok := i.caches[ce.Name] - if ok { - return cache, nil - } - - cfg, err := i.rcm(ctx, ce, i.baseCfg) - if err != nil { - return nil, fmt.Errorf("getting rest.Config: %w", err) - } - dynamicClient, err := dynamic.NewForConfig(cfg) if err != nil { - return nil, fmt.Errorf("getting dynamic client: %w", err) + return nil, fmt.Errorf("creating dynamic client: %w", err) } tgtLabels := labels.Set{ oclabels.OwnerKindKey: ocv1.ClusterExtensionKind, - oclabels.OwnerNameKey: ce.GetName(), } - dynamicSourcerer := &dynamicSourcerer{ - // Due to the limitation outlined in the dynamic informer source, - // related to reusing an informer factory, we return a new informer - // factory every time to ensure we are not attempting to configure or - // start an already started informer + m.sourcerer = &dynamicSourcerer{ informerFactoryCreateFunc: func() dynamicinformer.DynamicSharedInformerFactory { - return dynamicinformer.NewFilteredDynamicSharedInformerFactory(dynamicClient, time.Hour*10, metav1.NamespaceAll, func(lo *metav1.ListOptions) { + return dynamicinformer.NewFilteredDynamicSharedInformerFactory(dynamicClient, m.resyncPeriod, metav1.NamespaceAll, func(lo *metav1.ListOptions) { lo.LabelSelector = tgtLabels.AsSelector().String() }) }, - mapper: i.mapper, + mapper: mapper, } - cache = cmcache.NewCache(dynamicSourcerer, ce, i.syncTimeout) - i.caches[ce.Name] = cache - return cache, nil + + return m, nil } -// Delete stops and removes the Cache for the provided ClusterExtension -func (i *managerImpl) Delete(ce *ocv1.ClusterExtension) error { - if ce == nil { - panic("nil ClusterExtension provided") +// Watch ensures informers are running for the GVKs of all provided objects. +// It updates the GVK set for the named CE and stops informers for GVKs that +// are no longer needed by any CE. +func (m *managerImpl) Watch(ctx context.Context, ceName string, watcher cmcache.Watcher, objs ...client.Object) error { + m.mu.Lock() + defer m.mu.Unlock() + + newGVKs := sets.New[schema.GroupVersionKind]() + for _, obj := range objs { + gvk := obj.GetObjectKind().GroupVersionKind() + if gvk.Kind == "" { + return fmt.Errorf("object %s has no Kind set", obj.GetName()) + } + if gvk.Version == "" { + return fmt.Errorf("object %s has no Version set", obj.GetName()) + } + newGVKs.Insert(gvk) } - i.mu.Lock() - defer i.mu.Unlock() - if cache, ok := i.caches[ce.Name]; ok { - err := cache.Close() + oldGVKs := m.ceGVKs[ceName] + m.ceGVKs[ceName] = newGVKs + + // Start informers for GVKs not yet watched + for gvk := range newGVKs { + if _, exists := m.sources[gvk]; exists { + continue + } + s, err := m.startSource(ctx, gvk, watcher) if err != nil { - return fmt.Errorf("closing cache: %w", err) + return fmt.Errorf("starting source for GVK %q: %w", gvk, err) } - delete(i.caches, ce.Name) + m.sources[gvk] = s + } + + // Stop informers for GVKs this CE no longer needs, if no other CE needs them + if oldGVKs != nil { + removed := oldGVKs.Difference(newGVKs) + m.stopOrphanedSources(ctx, removed) } + return nil } + +// Delete removes all GVK tracking for the named CE and stops orphaned informers. +func (m *managerImpl) Delete(ctx context.Context, ceName string) { + m.mu.Lock() + defer m.mu.Unlock() + + gvks, ok := m.ceGVKs[ceName] + if !ok { + return + } + delete(m.ceGVKs, ceName) + m.stopOrphanedSources(ctx, gvks) +} + +// stopOrphanedSources stops informers for GVKs that no CE still requires. +// Must be called with m.mu held. +func (m *managerImpl) stopOrphanedSources(ctx context.Context, candidates sets.Set[schema.GroupVersionKind]) { + for gvk := range candidates { + if m.isGVKNeeded(gvk) { + continue + } + if source, ok := m.sources[gvk]; ok { + if err := source.Close(); err != nil { + logr := log.FromContext(ctx) + logr.Error(err, "closing orphaned source failed", "gvk", gvk) + } + delete(m.sources, gvk) + } + } +} + +// isGVKNeeded returns true if any CE still requires this GVK. +// Must be called with m.mu held. +func (m *managerImpl) isGVKNeeded(gvk schema.GroupVersionKind) bool { + for _, gvks := range m.ceGVKs { + if gvks.Has(gvk) { + return true + } + } + return false +} + +func (m *managerImpl) startSource(ctx context.Context, gvk schema.GroupVersionKind, watcher cmcache.Watcher) (cmcache.CloserSyncingSource, error) { + // Use a placeholder ClusterExtension as the owner type for EnqueueRequestForOwner. + // The handler uses the owner's GVK to match ownerReferences, not the specific instance. + owner := &ocv1.ClusterExtension{} + + s, err := m.sourcerer.Source(gvk, owner, func(ctx context.Context) { + m.mu.Lock() + defer m.mu.Unlock() + if source, ok := m.sources[gvk]; ok { + if closeErr := source.Close(); closeErr != nil { + logr := log.FromContext(ctx) + logr.Error(closeErr, "managed content cache postSyncError removing source failed", "gvk", gvk) + } + delete(m.sources, gvk) + } + }) + if err != nil { + return nil, fmt.Errorf("getting source: %w", err) + } + + if err := watcher.Watch(s); err != nil { + return nil, fmt.Errorf("establishing watch for GVK %q: %w", gvk, err) + } + + syncCtx, syncCancel := context.WithTimeout(ctx, m.syncTimeout) + defer syncCancel() + if err := s.WaitForSync(syncCtx); err != nil { + return nil, fmt.Errorf("waiting for sync: %w", err) + } + + return s, nil +} + +// Close stops all informers managed by this Manager. +func (m *managerImpl) Close() error { + m.mu.Lock() + defer m.mu.Unlock() + + var errs []error + for gvk, s := range m.sources { + if err := s.Close(); err != nil { + errs = append(errs, fmt.Errorf("closing source for GVK %q: %w", gvk, err)) + } + } + clear(m.sources) + clear(m.ceGVKs) + return errors.Join(errs...) +} diff --git a/internal/operator-controller/controllers/clusterextension_admission_test.go b/internal/operator-controller/controllers/clusterextension_admission_test.go index 259bb95059..53b7ddeaaa 100644 --- a/internal/operator-controller/controllers/clusterextension_admission_test.go +++ b/internal/operator-controller/controllers/clusterextension_admission_test.go @@ -45,9 +45,6 @@ func TestClusterExtensionSourceConfig(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) } if tc.unionField == "" { @@ -56,9 +53,6 @@ func TestClusterExtensionSourceConfig(t *testing.T) { SourceType: tc.sourceType, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) } @@ -123,9 +117,6 @@ func TestClusterExtensionAdmissionPackageName(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) if tc.errMsg == "" { require.NoError(t, err, "unexpected error for package name %q: %w", tc.pkgName, err) @@ -221,9 +212,6 @@ func TestClusterExtensionAdmissionVersion(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) if tc.errMsg == "" { require.NoError(t, err, "unexpected error for version %q: %w", tc.version, err) @@ -276,9 +264,6 @@ func TestClusterExtensionAdmissionChannel(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) if tc.errMsg == "" { require.NoError(t, err, "unexpected error for channel %q: %w", tc.channels, err) @@ -329,9 +314,6 @@ func TestClusterExtensionAdmissionInstallNamespace(t *testing.T) { }, }, Namespace: tc.namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, })) if tc.errMsg == "" { require.NoError(t, err, "unexpected error for namespace %q: %w", tc.namespace, err) @@ -357,7 +339,6 @@ func TestClusterExtensionAdmissionServiceAccount(t *testing.T) { {"dot-separated", "dotted.name", ""}, {"longest valid service account name", strings.Repeat("x", 253), ""}, {"too long service account name", strings.Repeat("x", 254), tooLongError}, - {"no service account name", "", regexMismatchError}, {"spaces", "spaces spaces", regexMismatchError}, {"capitalized", "Capitalized", regexMismatchError}, {"camel case", "camelCase", regexMismatchError}, @@ -383,7 +364,7 @@ func TestClusterExtensionAdmissionServiceAccount(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ + ServiceAccount: ocv1.ServiceAccountReference{ //nolint:staticcheck Name: tc.serviceAccount, }, })) @@ -442,10 +423,7 @@ func TestClusterExtensionAdmissionInstall(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, - Install: tc.installConfig, + Install: tc.installConfig, })) if tc.errMsg == "" { require.NoError(t, err, "unexpected error for install configuration %v: %w", tc.installConfig, err) @@ -494,9 +472,6 @@ func Test_ClusterExtensionAdmissionInlineConfig(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, Config: &ocv1.ClusterExtensionConfig{ ConfigType: ocv1.ClusterExtensionConfigTypeInline, Inline: &apiextensionsv1.JSON{ diff --git a/internal/operator-controller/controllers/clusterextension_controller_test.go b/internal/operator-controller/controllers/clusterextension_controller_test.go index 6aa55c5f97..9d5b8ac789 100644 --- a/internal/operator-controller/controllers/clusterextension_controller_test.go +++ b/internal/operator-controller/controllers/clusterextension_controller_test.go @@ -15,13 +15,11 @@ import ( "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/release" "helm.sh/helm/v3/pkg/storage/driver" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" apimeta "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/rand" - "k8s.io/client-go/kubernetes/fake" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" crfinalizer "sigs.k8s.io/controller-runtime/pkg/finalizer" @@ -109,9 +107,6 @@ func TestClusterExtensionShortCircuitsReconcileDuringDeletion(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -150,9 +145,6 @@ func TestClusterExtensionResolutionFails(t *testing.T) { }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -213,8 +205,7 @@ func TestClusterExtensionResolutionFailsWithDeprecationData(t *testing.T) { SourceType: "Catalog", Catalog: &ocv1.CatalogFilter{PackageName: pkgName}, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -304,8 +295,7 @@ func TestClusterExtensionUpgradeShowsInstalledBundleDeprecation(t *testing.T) { SourceType: "Catalog", Catalog: &ocv1.CatalogFilter{PackageName: pkgName}, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -401,8 +391,7 @@ func TestClusterExtensionResolutionFailsWithoutCatalogDeprecationData(t *testing SourceType: "Catalog", Catalog: &ocv1.CatalogFilter{PackageName: pkgName}, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -463,7 +452,6 @@ func TestClusterExtensionResolutionSuccessfulUnpackFails(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -477,9 +465,6 @@ func TestClusterExtensionResolutionSuccessfulUnpackFails(t *testing.T) { }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } cl, reconciler := newClientAndReconciler(t, @@ -590,7 +575,6 @@ func TestClusterExtensionResolutionAndUnpackSuccessfulApplierFails(t *testing.T) pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -604,9 +588,6 @@ func TestClusterExtensionResolutionAndUnpackSuccessfulApplierFails(t *testing.T) }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -716,9 +697,6 @@ func TestClusterExtensionBoxcutterApplierFailsDoesNotLeakDeprecationErrors(t *te }, }, Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "default", - }, }, } require.NoError(t, cl.Create(ctx, clusterExtension)) @@ -853,29 +831,8 @@ func TestValidateClusterExtension(t *testing.T) { errorMessageIncludes: "validation error 1\nvalidation error 2", }, { - name: "service account not found", - validators: []controllers.ClusterExtensionValidator{ - // Create a different ServiceAccount to ensure "test-sa" is not found. - serviceAccountValidatorWithFakeClient(&corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "not-test-sa", - Namespace: "test-ns", - }, - }), - }, - expectError: true, - errorMessageIncludes: `service account "test-sa" not found in namespace "test-ns"`, - }, - { - name: "service account found", - validators: []controllers.ClusterExtensionValidator{ - serviceAccountValidatorWithFakeClient(&corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-sa", - Namespace: "test-ns", - }, - }), - }, + name: "no validators passes", + validators: []controllers.ClusterExtensionValidator{}, expectError: false, }, } @@ -903,9 +860,6 @@ func TestValidateClusterExtension(t *testing.T) { }, }, Namespace: "test-ns", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "test-sa", - }, }, } @@ -981,7 +935,6 @@ func TestClusterExtensionApplierFailsWithBundleInstalled(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -995,9 +948,6 @@ func TestClusterExtensionApplierFailsWithBundleInstalled(t *testing.T) { }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -1070,7 +1020,6 @@ func TestClusterExtensionManagerFailed(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -1084,9 +1033,6 @@ func TestClusterExtensionManagerFailed(t *testing.T) { }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -1149,7 +1095,6 @@ func TestClusterExtensionManagedContentCacheWatchFail(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" installNamespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -1164,9 +1109,6 @@ func TestClusterExtensionManagedContentCacheWatchFail(t *testing.T) { }, }, Namespace: installNamespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -1229,7 +1171,6 @@ func TestClusterExtensionInstallationSucceeds(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -1243,9 +1184,6 @@ func TestClusterExtensionInstallationSucceeds(t *testing.T) { }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -1319,7 +1257,6 @@ func TestClusterExtensionDeleteFinalizerFails(t *testing.T) { pkgVer := "1.0.0" pkgChan := "beta" namespace := fmt.Sprintf("test-ns-%s", rand.String(8)) - serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8)) clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{Name: extKey.Name}, @@ -1333,9 +1270,6 @@ func TestClusterExtensionDeleteFinalizerFails(t *testing.T) { }, }, Namespace: namespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: serviceAccount, - }, }, } err := cl.Create(ctx, clusterExtension) @@ -2610,8 +2544,7 @@ func TestResolutionFallbackToInstalledBundle(t *testing.T) { // No version - should fall back }, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, ext)) @@ -2694,8 +2627,7 @@ func TestResolutionFallbackToInstalledBundle(t *testing.T) { Version: "1.0.1", // Requesting upgrade }, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, ext)) @@ -2768,8 +2700,7 @@ func TestResolutionFallbackToInstalledBundle(t *testing.T) { // No version - auto-update to latest }, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, ext)) @@ -2870,8 +2801,7 @@ func TestResolutionFallbackToInstalledBundle(t *testing.T) { // No version specified }, }, - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", }, } require.NoError(t, cl.Create(ctx, ext)) @@ -2997,10 +2927,3 @@ func TestCheckCatalogsExist(t *testing.T) { require.False(t, exists) }) } - -func serviceAccountValidatorWithFakeClient(serviceAccount *corev1.ServiceAccount) controllers.ClusterExtensionValidator { - if serviceAccount == nil { - return controllers.ServiceAccountValidator(fake.NewClientset().CoreV1()) - } - return controllers.ServiceAccountValidator(fake.NewClientset(serviceAccount).CoreV1()) -} diff --git a/internal/operator-controller/controllers/clusterextension_reconcile_steps.go b/internal/operator-controller/controllers/clusterextension_reconcile_steps.go index 14ad717853..3a191c34e9 100644 --- a/internal/operator-controller/controllers/clusterextension_reconcile_steps.go +++ b/internal/operator-controller/controllers/clusterextension_reconcile_steps.go @@ -21,10 +21,8 @@ import ( "errors" "fmt" - apierrors "k8s.io/apimachinery/pkg/api/errors" apimeta "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - corev1client "k8s.io/client-go/kubernetes/typed/core/v1" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/finalizer" @@ -98,21 +96,6 @@ func ValidateClusterExtension(validators ...ClusterExtensionValidator) Reconcile } } -// ServiceAccountValidator returns a validator that checks if the specified -// ServiceAccount exists in the cluster by performing a direct Get call. -func ServiceAccountValidator(saClient corev1client.ServiceAccountsGetter) ClusterExtensionValidator { - return func(ctx context.Context, ext *ocv1.ClusterExtension) error { - _, err := saClient.ServiceAccounts(ext.Spec.Namespace).Get(ctx, ext.Spec.ServiceAccount.Name, metav1.GetOptions{}) - if err != nil { - if apierrors.IsNotFound(err) { - return fmt.Errorf("service account %q not found in namespace %q", ext.Spec.ServiceAccount.Name, ext.Spec.Namespace) - } - return fmt.Errorf("error getting service account: %w", err) - } - return nil - } -} - func RetrieveRevisionStates(r RevisionStatesGetter) ReconcileStepFunc { return func(ctx context.Context, state *reconcileState, ext *ocv1.ClusterExtension) (*ctrl.Result, error) { l := log.FromContext(ctx) diff --git a/internal/operator-controller/controllers/clusterextensionrevision_controller.go b/internal/operator-controller/controllers/clusterextensionrevision_controller.go index 221d583fae..6e3ce62775 100644 --- a/internal/operator-controller/controllers/clusterextensionrevision_controller.go +++ b/internal/operator-controller/controllers/clusterextensionrevision_controller.go @@ -45,10 +45,10 @@ const ( // ClusterExtensionRevisionReconciler actions individual snapshots of ClusterExtensions, // as part of the boxcutter integration. type ClusterExtensionRevisionReconciler struct { - Client client.Client - RevisionEngineFactory RevisionEngineFactory - TrackingCache trackingCache - Clock clock.Clock + Client client.Client + RevisionEngine RevisionEngine + TrackingCache trackingCache + Clock clock.Clock } type trackingCache interface { @@ -146,18 +146,12 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, cer return ctrl.Result{}, fmt.Errorf("converting to boxcutter revision: %v", err) } - revisionEngine, err := c.RevisionEngineFactory.CreateRevisionEngine(ctx, cer) - if err != nil { - setRetryingConditions(cer, err.Error()) - return ctrl.Result{}, fmt.Errorf("failed to create revision engine: %v", err) - } - if cer.Spec.LifecycleState == ocv1.ClusterExtensionRevisionLifecycleStateArchived { if err := c.TrackingCache.Free(ctx, cer); err != nil { markAsAvailableUnknown(cer, ocv1.ClusterExtensionRevisionReasonReconciling, err.Error()) return ctrl.Result{}, fmt.Errorf("error stopping informers: %v", err) } - return c.archive(ctx, revisionEngine, cer, revision) + return c.archive(ctx, c.RevisionEngine, cer, revision) } if err := c.ensureFinalizer(ctx, cer, clusterExtensionRevisionTeardownFinalizer); err != nil { @@ -170,7 +164,7 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, cer return ctrl.Result{}, werr } - rres, err := revisionEngine.Reconcile(ctx, *revision, opts...) + rres, err := c.RevisionEngine.Reconcile(ctx, *revision, opts...) if err != nil { if rres != nil { // Log detailed reconcile reports only in debug mode (V(1)) to reduce verbosity. diff --git a/internal/operator-controller/controllers/clusterextensionrevision_controller_internal_test.go b/internal/operator-controller/controllers/clusterextensionrevision_controller_internal_test.go index af4445c6c6..d50b43cfef 100644 --- a/internal/operator-controller/controllers/clusterextensionrevision_controller_internal_test.go +++ b/internal/operator-controller/controllers/clusterextensionrevision_controller_internal_test.go @@ -170,9 +170,6 @@ func newTestClusterExtensionInternal() *ocv1.ClusterExtension { }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "some-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "some-sa", - }, Source: ocv1.SourceConfig{ SourceType: "Catalog", Catalog: &ocv1.CatalogFilter{ diff --git a/internal/operator-controller/controllers/clusterextensionrevision_controller_test.go b/internal/operator-controller/controllers/clusterextensionrevision_controller_test.go index 36224232a3..d03933d0c2 100644 --- a/internal/operator-controller/controllers/clusterextensionrevision_controller_test.go +++ b/internal/operator-controller/controllers/clusterextensionrevision_controller_test.go @@ -492,9 +492,9 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_RevisionReconciliation(t }, } result, err := (&controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: &mockRevisionEngineFactory{engine: mockEngine}, - TrackingCache: &mockTrackingCache{client: testClient}, + Client: testClient, + RevisionEngine: mockEngine, + TrackingCache: &mockTrackingCache{client: testClient}, }).Reconcile(t.Context(), ctrl.Request{ NamespacedName: types.NamespacedName{ Name: tc.reconcilingRevisionName, @@ -612,9 +612,9 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_ValidationError_Retries(t }, } result, err := (&controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: &mockRevisionEngineFactory{engine: mockEngine}, - TrackingCache: &mockTrackingCache{client: testClient}, + Client: testClient, + RevisionEngine: mockEngine, + TrackingCache: &mockTrackingCache{client: testClient}, }).Reconcile(t.Context(), ctrl.Request{ NamespacedName: types.NamespacedName{ Name: clusterExtensionRevisionName, @@ -643,7 +643,6 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_ArchivalAndDeletion(t *te existingObjs func() []client.Object revisionResult machinery.RevisionResult revisionEngineTeardownFn func(*testing.T) func(context.Context, machinerytypes.Revision, ...machinerytypes.RevisionTeardownOption) (machinery.RevisionTeardownResult, error) - revisionEngineFactoryErr error validate func(*testing.T, client.Client) trackingCacheFreeFn func(context.Context, client.Object) error expectedErr string @@ -814,39 +813,6 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_ArchivalAndDeletion(t *te require.Contains(t, rev.Finalizers, "olm.operatorframework.io/teardown") }, }, - { - name: "return error and set retrying conditions when factory fails to create engine during archived teardown", - revisionResult: mockRevisionResult{}, - existingObjs: func() []client.Object { - ext := newTestClusterExtension() - rev1 := newTestClusterExtensionRevision(t, clusterExtensionRevisionName, ext, testScheme) - rev1.Finalizers = []string{ - "olm.operatorframework.io/teardown", - } - rev1.Spec.LifecycleState = ocv1.ClusterExtensionRevisionLifecycleStateArchived - return []client.Object{rev1, ext} - }, - revisionEngineTeardownFn: func(t *testing.T) func(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionTeardownOption) (machinery.RevisionTeardownResult, error) { - return nil - }, - revisionEngineFactoryErr: fmt.Errorf("token getter failed"), - expectedErr: "failed to create revision engine", - validate: func(t *testing.T, c client.Client) { - rev := &ocv1.ClusterExtensionRevision{} - err := c.Get(t.Context(), client.ObjectKey{ - Name: clusterExtensionRevisionName, - }, rev) - require.NoError(t, err) - cond := meta.FindStatusCondition(rev.Status.Conditions, ocv1.ClusterExtensionRevisionTypeProgressing) - require.NotNil(t, cond) - require.Equal(t, metav1.ConditionTrue, cond.Status) - require.Equal(t, ocv1.ClusterExtensionRevisionReasonRetrying, cond.Reason) - require.Contains(t, cond.Message, "token getter failed") - - // Finalizer should still be present - require.Contains(t, rev.Finalizers, "olm.operatorframework.io/teardown") - }, - }, { name: "revision is torn down when in archived state and finalizer is removed", revisionResult: mockRevisionResult{}, @@ -905,10 +871,9 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_ArchivalAndDeletion(t *te }, teardown: tc.revisionEngineTeardownFn(t), } - factory := &mockRevisionEngineFactory{engine: mockEngine, createErr: tc.revisionEngineFactoryErr} result, err := (&controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: factory, + Client: testClient, + RevisionEngine: mockEngine, TrackingCache: &mockTrackingCache{ client: testClient, freeFn: tc.trackingCacheFreeFn, @@ -1051,8 +1016,8 @@ func Test_ClusterExtensionRevisionReconciler_Reconcile_ProgressDeadline(t *testi }, } result, err := (&controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: &mockRevisionEngineFactory{engine: mockEngine}, + Client: testClient, + RevisionEngine: mockEngine, TrackingCache: &mockTrackingCache{ client: testClient, }, @@ -1078,9 +1043,6 @@ func newTestClusterExtension() *ocv1.ClusterExtension { }, Spec: ocv1.ClusterExtensionSpec{ Namespace: "some-namespace", - ServiceAccount: ocv1.ServiceAccountReference{ - Name: "service-account", - }, Source: ocv1.SourceConfig{ SourceType: ocv1.SourceTypeCatalog, Catalog: &ocv1.CatalogFilter{ @@ -1103,12 +1065,10 @@ func newTestClusterExtensionRevision(t *testing.T, revisionName string, ext *ocv UID: types.UID(revisionName), Generation: int64(1), Annotations: map[string]string{ - labels.PackageNameKey: "some-package", - labels.BundleNameKey: "some-package.v1.0.0", - labels.BundleReferenceKey: "registry.io/some-repo/some-package:v1.0.0", - labels.BundleVersionKey: "1.0.0", - labels.ServiceAccountNameKey: ext.Spec.ServiceAccount.Name, - labels.ServiceAccountNamespaceKey: ext.Spec.Namespace, + labels.PackageNameKey: "some-package", + labels.BundleNameKey: "some-package.v1.0.0", + labels.BundleReferenceKey: "registry.io/some-repo/some-package:v1.0.0", + labels.BundleVersionKey: "1.0.0", }, Labels: map[string]string{ labels.OwnerNameKey: "test-ext", @@ -1154,19 +1114,6 @@ func (m mockRevisionEngine) Reconcile(ctx context.Context, rev machinerytypes.Re return m.reconcile(ctx, rev) } -// mockRevisionEngineFactory creates mock RevisionEngines for testing -type mockRevisionEngineFactory struct { - engine controllers.RevisionEngine - createErr error -} - -func (f *mockRevisionEngineFactory) CreateRevisionEngine(ctx context.Context, rev *ocv1.ClusterExtensionRevision) (controllers.RevisionEngine, error) { - if f.createErr != nil { - return nil, f.createErr - } - return f.engine, nil -} - type mockRevisionResult struct { validationError *validation.RevisionValidationError phases []machinery.PhaseResult @@ -1398,18 +1345,16 @@ func Test_effectiveCollisionProtection(t *testing.T) { } } -func Test_ClusterExtensionRevisionReconciler_getScopedClient_Errors(t *testing.T) { +func Test_ClusterExtensionRevisionReconciler_Reconcile_WithoutOwnerLabel(t *testing.T) { testScheme := newScheme(t) - t.Run("works with serviceAccount annotation and without owner label", func(t *testing.T) { + t.Run("works without owner label", func(t *testing.T) { rev := &ocv1.ClusterExtensionRevision{ ObjectMeta: metav1.ObjectMeta{ Name: "test-rev-1", Labels: map[string]string{}, Annotations: map[string]string{ - labels.ServiceAccountNameKey: "test-sa", - labels.ServiceAccountNamespaceKey: "test-ns", - labels.BundleVersionKey: "1.0.0", + labels.BundleVersionKey: "1.0.0", }, }, Spec: ocv1.ClusterExtensionRevisionSpec{ @@ -1432,9 +1377,9 @@ func Test_ClusterExtensionRevisionReconciler_getScopedClient_Errors(t *testing.T } reconciler := &controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: &mockRevisionEngineFactory{engine: mockEngine}, - TrackingCache: &mockTrackingCache{client: testClient}, + Client: testClient, + RevisionEngine: mockEngine, + TrackingCache: &mockTrackingCache{client: testClient}, } _, err := reconciler.Reconcile(t.Context(), ctrl.Request{ @@ -1443,70 +1388,4 @@ func Test_ClusterExtensionRevisionReconciler_getScopedClient_Errors(t *testing.T require.NoError(t, err) }) - - t.Run("missing serviceAccount annotation", func(t *testing.T) { - rev := &ocv1.ClusterExtensionRevision{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-rev-1", - Annotations: map[string]string{ - labels.BundleVersionKey: "1.0.0", - }, - }, - Spec: ocv1.ClusterExtensionRevisionSpec{ - LifecycleState: ocv1.ClusterExtensionRevisionLifecycleStateActive, - Revision: 1, - Phases: []ocv1.ClusterExtensionRevisionPhase{}, - }, - } - - testClient := fake.NewClientBuilder(). - WithScheme(testScheme). - WithObjects(rev). - Build() - - failingFactory := &mockRevisionEngineFactory{ - createErr: errors.New("missing serviceAccount name annotation"), - } - - reconciler := &controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: failingFactory, - TrackingCache: &mockTrackingCache{client: testClient}, - } - - _, err := reconciler.Reconcile(t.Context(), ctrl.Request{ - NamespacedName: types.NamespacedName{Name: "test-rev-1"}, - }) - - require.Error(t, err) - require.Contains(t, err.Error(), "serviceAccount") - }) - - t.Run("factory fails to create engine", func(t *testing.T) { - ext := newTestClusterExtension() - rev := newTestClusterExtensionRevision(t, "test-rev", ext, testScheme) - - testClient := fake.NewClientBuilder(). - WithScheme(testScheme). - WithObjects(ext, rev). - Build() - - failingFactory := &mockRevisionEngineFactory{ - createErr: errors.New("token getter failed"), - } - - reconciler := &controllers.ClusterExtensionRevisionReconciler{ - Client: testClient, - RevisionEngineFactory: failingFactory, - TrackingCache: &mockTrackingCache{client: testClient}, - } - - _, err := reconciler.Reconcile(t.Context(), ctrl.Request{ - NamespacedName: types.NamespacedName{Name: "test-rev"}, - }) - - require.Error(t, err) - require.Contains(t, err.Error(), "failed to create revision engine") - require.Contains(t, err.Error(), "token getter failed") - }) } diff --git a/internal/operator-controller/controllers/revision_engine.go b/internal/operator-controller/controllers/revision_engine.go new file mode 100644 index 0000000000..e62fec916b --- /dev/null +++ b/internal/operator-controller/controllers/revision_engine.go @@ -0,0 +1,49 @@ +//go:build !standard + +// This file is excluded from standard builds because ClusterExtensionRevision +// is an experimental feature. Standard builds use Helm-based applier only. + +package controllers + +import ( + "context" + + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/discovery" + "pkg.package-operator.run/boxcutter/machinery" + machinerytypes "pkg.package-operator.run/boxcutter/machinery/types" + "pkg.package-operator.run/boxcutter/managedcache" + "pkg.package-operator.run/boxcutter/ownerhandling" + "pkg.package-operator.run/boxcutter/validation" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// RevisionEngine defines the interface for reconciling and tearing down revisions. +type RevisionEngine interface { + Teardown(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionTeardownOption) (machinery.RevisionTeardownResult, error) + Reconcile(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionReconcileOption) (machinery.RevisionResult, error) +} + +// NewRevisionEngine creates a boxcutter RevisionEngine using the provided client. +func NewRevisionEngine( + scheme *runtime.Scheme, + trackingCache managedcache.TrackingCache, + discoveryClient discovery.CachedDiscoveryInterface, + restMapper meta.RESTMapper, + fieldOwnerPrefix string, + c client.Client, +) RevisionEngine { + return machinery.NewRevisionEngine( + machinery.NewPhaseEngine( + machinery.NewObjectEngine( + scheme, trackingCache, c, + ownerhandling.NewNative(scheme), + machinery.NewComparator(ownerhandling.NewNative(scheme), discoveryClient, scheme, fieldOwnerPrefix), + fieldOwnerPrefix, fieldOwnerPrefix, + ), + validation.NewClusterPhaseValidator(restMapper, c), + ), + validation.NewRevisionValidator(), c, + ) +} diff --git a/internal/operator-controller/controllers/revision_engine_factory.go b/internal/operator-controller/controllers/revision_engine_factory.go deleted file mode 100644 index aa8a9b9ffc..0000000000 --- a/internal/operator-controller/controllers/revision_engine_factory.go +++ /dev/null @@ -1,149 +0,0 @@ -//go:build !standard - -// This file is excluded from standard builds because ClusterExtensionRevision -// is an experimental feature. Standard builds use Helm-based applier only. -// The experimental build includes BoxcutterRuntime which requires these factories -// for serviceAccount-scoped client creation and RevisionEngine instantiation. - -package controllers - -import ( - "context" - "fmt" - "net/http" - "strings" - - "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/discovery" - "k8s.io/client-go/rest" - "pkg.package-operator.run/boxcutter/machinery" - machinerytypes "pkg.package-operator.run/boxcutter/machinery/types" - "pkg.package-operator.run/boxcutter/managedcache" - "pkg.package-operator.run/boxcutter/ownerhandling" - "pkg.package-operator.run/boxcutter/validation" - "sigs.k8s.io/controller-runtime/pkg/client" - - ocv1 "github.com/operator-framework/operator-controller/api/v1" - "github.com/operator-framework/operator-controller/internal/operator-controller/authentication" - "github.com/operator-framework/operator-controller/internal/operator-controller/labels" -) - -// RevisionEngine defines the interface for reconciling and tearing down revisions. -type RevisionEngine interface { - Teardown(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionTeardownOption) (machinery.RevisionTeardownResult, error) - Reconcile(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionReconcileOption) (machinery.RevisionResult, error) -} - -// RevisionEngineFactory creates a RevisionEngine for a ClusterExtensionRevision. -type RevisionEngineFactory interface { - CreateRevisionEngine(ctx context.Context, rev *ocv1.ClusterExtensionRevision) (RevisionEngine, error) -} - -// defaultRevisionEngineFactory creates boxcutter RevisionEngines with serviceAccount-scoped clients. -type defaultRevisionEngineFactory struct { - Scheme *runtime.Scheme - TrackingCache managedcache.TrackingCache - DiscoveryClient discovery.CachedDiscoveryInterface - RESTMapper meta.RESTMapper - FieldOwnerPrefix string - BaseConfig *rest.Config - TokenGetter *authentication.TokenGetter -} - -// CreateRevisionEngine constructs a boxcutter RevisionEngine for the given ClusterExtensionRevision. -// It reads the ServiceAccount from annotations and creates a scoped client. -func (f *defaultRevisionEngineFactory) CreateRevisionEngine(_ context.Context, rev *ocv1.ClusterExtensionRevision) (RevisionEngine, error) { - saNamespace, saName, err := f.getServiceAccount(rev) - if err != nil { - return nil, err - } - - scopedClient, err := f.createScopedClient(saNamespace, saName) - if err != nil { - return nil, err - } - - return machinery.NewRevisionEngine( - machinery.NewPhaseEngine( - machinery.NewObjectEngine( - f.Scheme, f.TrackingCache, scopedClient, - ownerhandling.NewNative(f.Scheme), - machinery.NewComparator(ownerhandling.NewNative(f.Scheme), f.DiscoveryClient, f.Scheme, f.FieldOwnerPrefix), - f.FieldOwnerPrefix, f.FieldOwnerPrefix, - ), - validation.NewClusterPhaseValidator(f.RESTMapper, scopedClient), - ), - validation.NewRevisionValidator(), scopedClient, - ), nil -} - -func (f *defaultRevisionEngineFactory) getServiceAccount(rev *ocv1.ClusterExtensionRevision) (string, string, error) { - annotations := rev.GetAnnotations() - if annotations == nil { - return "", "", fmt.Errorf("revision %q is missing required annotations", rev.Name) - } - - saName := strings.TrimSpace(annotations[labels.ServiceAccountNameKey]) - saNamespace := strings.TrimSpace(annotations[labels.ServiceAccountNamespaceKey]) - - if len(saName) == 0 { - return "", "", fmt.Errorf("revision %q is missing ServiceAccount name annotation", rev.Name) - } - if len(saNamespace) == 0 { - return "", "", fmt.Errorf("revision %q is missing ServiceAccount namespace annotation", rev.Name) - } - - return saNamespace, saName, nil -} - -func (f *defaultRevisionEngineFactory) createScopedClient(namespace, serviceAccountName string) (client.Client, error) { - saConfig := rest.AnonymousClientConfig(f.BaseConfig) - saConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper { - return &authentication.TokenInjectingRoundTripper{ - Tripper: rt, - TokenGetter: f.TokenGetter, - Key: types.NamespacedName{ - Name: serviceAccountName, - Namespace: namespace, - }, - } - }) - - scopedClient, err := client.New(saConfig, client.Options{ - Scheme: f.Scheme, - }) - if err != nil { - return nil, fmt.Errorf("failed to create client for ServiceAccount %s/%s: %w", namespace, serviceAccountName, err) - } - - return scopedClient, nil -} - -// NewDefaultRevisionEngineFactory creates a new defaultRevisionEngineFactory. -func NewDefaultRevisionEngineFactory( - scheme *runtime.Scheme, - trackingCache managedcache.TrackingCache, - discoveryClient discovery.CachedDiscoveryInterface, - restMapper meta.RESTMapper, - fieldOwnerPrefix string, - baseConfig *rest.Config, - tokenGetter *authentication.TokenGetter, -) (RevisionEngineFactory, error) { - if baseConfig == nil { - return nil, fmt.Errorf("baseConfig is required but not provided") - } - if tokenGetter == nil { - return nil, fmt.Errorf("tokenGetter is required but not provided") - } - return &defaultRevisionEngineFactory{ - Scheme: scheme, - TrackingCache: trackingCache, - DiscoveryClient: discoveryClient, - RESTMapper: restMapper, - FieldOwnerPrefix: fieldOwnerPrefix, - BaseConfig: baseConfig, - TokenGetter: tokenGetter, - }, nil -} diff --git a/internal/operator-controller/features/features.go b/internal/operator-controller/features/features.go index 53ee2626ae..826ff36067 100644 --- a/internal/operator-controller/features/features.go +++ b/internal/operator-controller/features/features.go @@ -11,9 +11,6 @@ import ( const ( // Add new feature gates constants (strings) // Ex: SomeFeature featuregate.Feature = "SomeFeature" - PreflightPermissions featuregate.Feature = "PreflightPermissions" - SingleOwnNamespaceInstallSupport featuregate.Feature = "SingleOwnNamespaceInstallSupport" - SyntheticPermissions featuregate.Feature = "SyntheticPermissions" WebhookProviderCertManager featuregate.Feature = "WebhookProviderCertManager" WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA" HelmChartSupport featuregate.Feature = "HelmChartSupport" @@ -24,28 +21,6 @@ const ( var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ // Add new feature gate definitions // Ex: SomeFeature: {...} - PreflightPermissions: { - Default: false, - PreRelease: featuregate.Alpha, - LockToDefault: false, - }, - - // SingleOwnNamespaceInstallSupport enables support for installing - // registry+v1 cluster extensions with single or own namespaces modes - // i.e. with a single watch namespace. - SingleOwnNamespaceInstallSupport: { - Default: true, - PreRelease: featuregate.GA, - LockToDefault: false, - }, - - // SyntheticPermissions enables support for a synthetic user permission - // model to manage operator permission boundaries - SyntheticPermissions: { - Default: false, - PreRelease: featuregate.Alpha, - LockToDefault: false, - }, // WebhookProviderCertManager enables support for installing // registry+v1 cluster extensions that include validating, diff --git a/internal/operator-controller/labels/labels.go b/internal/operator-controller/labels/labels.go index 16f45ecbb3..2c8e702968 100644 --- a/internal/operator-controller/labels/labels.go +++ b/internal/operator-controller/labels/labels.go @@ -26,20 +26,6 @@ const ( // ClusterExtensionRevision. BundleReferenceKey = "olm.operatorframework.io/bundle-reference" - // ServiceAccountNameKey is the annotation key used to record the name of - // the ServiceAccount configured on the owning ClusterExtension. It is - // applied as an annotation on ClusterExtensionRevision resources to - // capture which ServiceAccount was used for their lifecycle operations. - ServiceAccountNameKey = "olm.operatorframework.io/service-account-name" - - // ServiceAccountNamespaceKey is the annotation key used to record the - // namespace of the ServiceAccount configured on the owning - // ClusterExtension. It is applied as an annotation on - // ClusterExtensionRevision resources together with ServiceAccountNameKey - // so that the effective ServiceAccount identity used for - // ClusterExtensionRevision operations is preserved. - ServiceAccountNamespaceKey = "olm.operatorframework.io/service-account-namespace" - // MigratedFromHelmKey is the label key used to mark ClusterExtensionRevisions // that were created during migration from Helm releases. This label is used // to distinguish migrated revisions from those created by normal Boxcutter operation. diff --git a/internal/operator-controller/resolve/catalog_test.go b/internal/operator-controller/resolve/catalog_test.go index 2ec3192b69..e07f428521 100644 --- a/internal/operator-controller/resolve/catalog_test.go +++ b/internal/operator-controller/resolve/catalog_test.go @@ -586,8 +586,7 @@ func buildFooClusterExtension(pkg string, channels []string, version string, upg Name: pkg, }, Spec: ocv1.ClusterExtensionSpec{ - Namespace: "default", - ServiceAccount: ocv1.ServiceAccountReference{Name: "default"}, + Namespace: "default", Source: ocv1.SourceConfig{ SourceType: "Catalog", Catalog: &ocv1.CatalogFilter{ diff --git a/internal/operator-controller/rukpak/bundle/README.md b/internal/operator-controller/rukpak/bundle/README.md index 010cf46b7c..79d15c1b08 100644 --- a/internal/operator-controller/rukpak/bundle/README.md +++ b/internal/operator-controller/rukpak/bundle/README.md @@ -6,7 +6,6 @@ This directory contains the JSON schema for registry+v1 bundle configuration val The `registryv1bundleconfig.json` schema is used to validate the bundle configuration in the ClusterExtension's inline configuration. This includes: -- `watchNamespace`: Controls which namespace(s) the operator watches for custom resources - `deploymentConfig`: Customizes operator deployment (environment variables, resources, volumes, etc.) The `deploymentConfig` portion is based on OLM v0's `SubscriptionConfig` struct but excludes the `selector` field which was never used in v0. @@ -43,7 +42,7 @@ This will regenerate the schema based on the current module-resolved version of ## Validation -The schema is used to validate user-provided bundle configuration (including `watchNamespace` and `deploymentConfig`) in ClusterExtension resources. The base schema is loaded and customized at runtime based on the operator's install modes to ensure proper validation of the `watchNamespace` field. Validation happens during: +The schema is used to validate user-provided bundle configuration (`deploymentConfig`) in ClusterExtension resources. Validation happens during: 1. **Admission**: When a ClusterExtension is created or updated 2. **Runtime**: When extracting configuration from the inline field diff --git a/internal/operator-controller/rukpak/bundle/registryv1.go b/internal/operator-controller/rukpak/bundle/registryv1.go index 5b0c2a8cd9..d6888f5930 100644 --- a/internal/operator-controller/rukpak/bundle/registryv1.go +++ b/internal/operator-controller/rukpak/bundle/registryv1.go @@ -7,17 +7,8 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/util/sets" "github.com/operator-framework/api/pkg/operators/v1alpha1" - - "github.com/operator-framework/operator-controller/internal/operator-controller/config" -) - -const ( - watchNamespaceConfigKey = "watchNamespace" - namespaceNamePattern = "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" - namespaceNameMaxLength = 63 ) var ( @@ -32,196 +23,8 @@ type RegistryV1 struct { Others []unstructured.Unstructured } -// GetConfigSchema builds a validation schema based on what install modes the operator supports. -// -// For registry+v1 bundles, we look at the CSV's install modes and generate a schema -// that matches. For example, if the operator only supports OwnNamespace mode, we'll -// require the user to provide a watchNamespace that equals the install namespace. +// GetConfigSchema returns the validation schema for registry+v1 bundle configuration. func (rv1 *RegistryV1) GetConfigSchema() (map[string]any, error) { - installModes := sets.New(rv1.CSV.Spec.InstallModes...) - return buildBundleConfigSchema(installModes) -} - -// buildBundleConfigSchema loads the base bundle config schema and modifies it based on -// the operator's install modes. -// -// The base schema includes -// 1. watchNamespace -// 2. deploymentConfig properties. -// The watchNamespace property is modified based on what the operator supports: -// - AllNamespaces only: remove watchNamespace (operator always watches everything) -// - OwnNamespace only: make watchNamespace required, must equal install namespace -// - SingleNamespace only: make watchNamespace required, must differ from install namespace -// - AllNamespaces + OwnNamespace: make watchNamespace optional -func buildBundleConfigSchema(installModes sets.Set[v1alpha1.InstallMode]) (map[string]any, error) { - // Load the base schema - baseSchema, err := getBundleConfigSchemaMap() - if err != nil { - return nil, fmt.Errorf("failed to get base bundle config schema: %w", err) - } - - // Get properties map from the schema - properties, ok := baseSchema["properties"].(map[string]any) - if !ok { - return nil, fmt.Errorf("base schema missing properties") - } - - // Modify watchNamespace field based on install modes - if isWatchNamespaceConfigurable(installModes) { - // Replace the generic watchNamespace with install-mode-specific version - watchNSProperty, isRequired := buildWatchNamespaceProperty(installModes) - properties[watchNamespaceConfigKey] = watchNSProperty - - // Preserve existing required fields, only add/remove watchNamespace - if isRequired { - addToRequired(baseSchema, watchNamespaceConfigKey) - } else { - removeFromRequired(baseSchema, watchNamespaceConfigKey) - } - } else { - // AllNamespaces only - remove watchNamespace property entirely - // (operator always watches all namespaces, no configuration needed) - delete(properties, watchNamespaceConfigKey) - removeFromRequired(baseSchema, watchNamespaceConfigKey) - } - - return baseSchema, nil -} - -// addToRequired adds fieldName to the schema's required array if it's not already present. -// Preserves any existing required fields. -func addToRequired(schema map[string]any, fieldName string) { - var required []any - if existingRequired, ok := schema["required"].([]any); ok { - // Check if field is already required - for _, field := range existingRequired { - if field == fieldName { - return // Already required - } - } - required = existingRequired - } - // Add the field to required list - schema["required"] = append(required, fieldName) -} - -// removeFromRequired removes fieldName from the schema's required array if present. -// Preserves all other required fields. -func removeFromRequired(schema map[string]any, fieldName string) { - existingRequired, ok := schema["required"].([]any) - if !ok { - return // No required array - } - - // Filter out the field - filtered := make([]any, 0, len(existingRequired)) - for _, field := range existingRequired { - if field != fieldName { - filtered = append(filtered, field) - } - } - - // Update or delete the required array - if len(filtered) > 0 { - schema["required"] = filtered - } else { - delete(schema, "required") - } -} - -// buildWatchNamespaceProperty creates the validation rules for the watchNamespace field. -// -// The rules depend on what install modes are supported: -// - AllNamespaces supported: watchNamespace is optional (can be null) -// - Only Single/Own supported: watchNamespace is required -// - Only OwnNamespace: must equal install namespace -// - Only SingleNamespace: must be different from install namespace -// -// Returns the validation rules and whether the field is required. -func buildWatchNamespaceProperty(installModes sets.Set[v1alpha1.InstallMode]) (map[string]any, bool) { - const description = "The namespace that the operator should watch for custom resources" - - hasOwnNamespace := installModes.Has(v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeOwnNamespace, Supported: true}) - hasSingleNamespace := installModes.Has(v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeSingleNamespace, Supported: true}) - - format := selectNamespaceFormat(hasOwnNamespace, hasSingleNamespace) - - watchNamespaceSchema := map[string]any{ - "type": "string", - "minLength": 1, - "maxLength": namespaceNameMaxLength, - // kubernetes namespace name format - "pattern": namespaceNamePattern, - } - if format != "" { - watchNamespaceSchema["format"] = format - } - - if isWatchNamespaceConfigRequired(installModes) { - watchNamespaceSchema["description"] = description - return watchNamespaceSchema, true - } - - // allow null or valid namespace string - return map[string]any{ - "description": description, - "anyOf": []any{ - map[string]any{"type": "null"}, - watchNamespaceSchema, - }, - }, false -} - -// selectNamespaceFormat picks which namespace constraint to apply. -// -// - OwnNamespace only: watchNamespace must equal install namespace -// - SingleNamespace only: watchNamespace must be different from install namespace -// - Both or neither: no constraint, any namespace name is valid -func selectNamespaceFormat(hasOwnNamespace, hasSingleNamespace bool) string { - if hasOwnNamespace && !hasSingleNamespace { - return config.FormatOwnNamespaceInstallMode - } - if hasSingleNamespace && !hasOwnNamespace { - return config.FormatSingleNamespaceInstallMode - } - return "" // No format constraint needed for generic case -} - -// isWatchNamespaceConfigurable checks if the user can set a watchNamespace. -// -// Returns true if: -// - SingleNamespace is supported (user picks a namespace to watch) -// - OwnNamespace is supported (user sets watchNamespace to the install namespace) -// -// Returns false if: -// - Only AllNamespaces is supported (operator always watches everything) -func isWatchNamespaceConfigurable(installModes sets.Set[v1alpha1.InstallMode]) bool { - return installModes.HasAny( - v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeSingleNamespace, Supported: true}, - v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeOwnNamespace, Supported: true}, - ) -} - -// isWatchNamespaceConfigRequired checks if the user must provide a watchNamespace. -// -// Returns true (required) when: -// - Only OwnNamespace is supported -// - Only SingleNamespace is supported -// - Both OwnNamespace and SingleNamespace are supported -// -// Returns false (optional) when: -// - AllNamespaces is supported (user can leave it unset to watch all namespaces) -func isWatchNamespaceConfigRequired(installModes sets.Set[v1alpha1.InstallMode]) bool { - return isWatchNamespaceConfigurable(installModes) && - !installModes.Has(v1alpha1.InstallMode{Type: v1alpha1.InstallModeTypeAllNamespaces, Supported: true}) -} - -// getBundleConfigSchemaMap returns the complete registry+v1 bundle configuration schema -// as a map[string]any. This includes the following properties: -// 1. watchNamespace -// 2. deploymentConfig -// The schema can be modified at runtime based on operator install modes before validation. -func getBundleConfigSchemaMap() (map[string]any, error) { var schemaMap map[string]any if err := json.Unmarshal(bundleConfigSchemaJSON, &schemaMap); err != nil { return nil, fmt.Errorf("failed to unmarshal bundle config schema: %w", err) diff --git a/internal/operator-controller/rukpak/bundle/registryv1_test.go b/internal/operator-controller/rukpak/bundle/registryv1_test.go index 6efcbafa21..696197f1bb 100644 --- a/internal/operator-controller/rukpak/bundle/registryv1_test.go +++ b/internal/operator-controller/rukpak/bundle/registryv1_test.go @@ -8,8 +8,9 @@ import ( "github.com/stretchr/testify/require" ) -func TestGetBundleConfigSchemaMap(t *testing.T) { - schema, err := getBundleConfigSchemaMap() +func TestGetConfigSchema(t *testing.T) { + rv1 := &RegistryV1{} + schema, err := rv1.GetConfigSchema() require.NoError(t, err, "should successfully get bundle config schema") require.NotNil(t, schema, "schema should not be nil") @@ -22,26 +23,13 @@ func TestGetBundleConfigSchemaMap(t *testing.T) { assert.Equal(t, false, schema["additionalProperties"]) }) - t.Run("schema includes watchNamespace and deploymentConfig properties", func(t *testing.T) { + t.Run("schema includes deploymentConfig property", func(t *testing.T) { properties, ok := schema["properties"].(map[string]any) require.True(t, ok, "schema should have properties") - assert.Contains(t, properties, "watchNamespace") assert.Contains(t, properties, "deploymentConfig") }) - t.Run("watchNamespace has anyOf with null and string", func(t *testing.T) { - properties, ok := schema["properties"].(map[string]any) - require.True(t, ok) - - watchNamespace, ok := properties["watchNamespace"].(map[string]any) - require.True(t, ok, "watchNamespace should be present") - - anyOf, ok := watchNamespace["anyOf"].([]any) - require.True(t, ok, "watchNamespace should have anyOf") - assert.Len(t, anyOf, 2, "watchNamespace anyOf should have 2 options") - }) - t.Run("deploymentConfig has expected structure", func(t *testing.T) { properties, ok := schema["properties"].(map[string]any) require.True(t, ok) @@ -102,8 +90,8 @@ func TestGetBundleConfigSchemaMap(t *testing.T) { // by a JSON schema validator without errors. This catches broken $ref targets // and other structural issues. func TestSchemaCompilation(t *testing.T) { - // Get the schema as a map (same as how config package uses it) - schemaMap, err := getBundleConfigSchemaMap() + rv1 := &RegistryV1{} + schemaMap, err := rv1.GetConfigSchema() require.NoError(t, err, "should successfully get bundle config schema") // Compile the schema using the same library used by config package diff --git a/internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json b/internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json index 1197f721a3..7730caf1c3 100644 --- a/internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json +++ b/internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://operator-framework.io/schemas/registry-v1-bundle-config.json", "title": "Registry+v1 Bundle Configuration", - "description": "Configuration schema for registry+v1 bundles. Includes watchNamespace for controlling operator scope and deploymentConfig for customizing operator deployment (environment variables, resource scheduling, storage, and pod placement). The deploymentConfig follows the same structure and behavior as OLM v0's SubscriptionConfig. Note: The 'selector' field from v0's SubscriptionConfig is not included as it was never used.", + "description": "Configuration schema for registry+v1 bundles. Includes deploymentConfig for customizing operator deployment (environment variables, resource scheduling, storage, and pod placement). The deploymentConfig follows the same structure and behavior as OLM v0's SubscriptionConfig. Note: The 'selector' field from v0's SubscriptionConfig is not included as it was never used.", "type": "object", "properties": { "deploymentConfig": { @@ -59,17 +59,6 @@ } }, "additionalProperties": false - }, - "watchNamespace": { - "description": "The namespace that the operator should watch for custom resources. The meaning and validation of this field depends on the operator's install modes. This field may be optional or required, and may have format constraints, based on the operator's supported install modes.", - "anyOf": [ - { - "type": "null" - }, - { - "type": "string" - } - ] } }, "additionalProperties": false, diff --git a/internal/operator-controller/rukpak/render/render.go b/internal/operator-controller/rukpak/render/render.go index 86eb2ff492..083971b1df 100644 --- a/internal/operator-controller/rukpak/render/render.go +++ b/internal/operator-controller/rukpak/render/render.go @@ -66,6 +66,10 @@ type Options struct { // DeploymentConfig contains optional customizations to apply to CSV deployments. // If nil, no customizations are applied. DeploymentConfig *config.DeploymentConfig + // SkipInstallModeValidation skips validation of target namespaces against + // the bundle's declared install mode support. When true, the caller takes + // responsibility for ensuring the target namespaces are appropriate. + SkipInstallModeValidation bool } func (o *Options) apply(opts ...Option) *Options { @@ -82,8 +86,10 @@ func (o *Options) validate(rv1 *bundle.RegistryV1) (*Options, []error) { if o.UniqueNameGenerator == nil { errs = append(errs, errors.New("unique name generator must be specified")) } - if err := validateTargetNamespaces(rv1, o.InstallNamespace, o.TargetNamespaces); err != nil { - errs = append(errs, fmt.Errorf("invalid target namespaces %v: %w", o.TargetNamespaces, err)) + if !o.SkipInstallModeValidation { + if err := validateTargetNamespaces(rv1, o.InstallNamespace, o.TargetNamespaces); err != nil { + errs = append(errs, fmt.Errorf("invalid target namespaces %v: %w", o.TargetNamespaces, err)) + } } return o, errs } @@ -121,6 +127,16 @@ func WithDeploymentConfig(deploymentConfig *config.DeploymentConfig) Option { } } +// WithSkipInstallModeValidation skips validation of target namespaces against +// the bundle's declared install mode support. This is useful when the caller +// wants to force a specific target namespace configuration regardless of what +// install modes the bundle declares. +func WithSkipInstallModeValidation() Option { + return func(o *Options) { + o.SkipInstallModeValidation = true + } +} + type BundleRenderer struct { BundleValidator BundleValidator ResourceGenerators []ResourceGenerator diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 8655035d45..aa9f157128 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1123,11 +1123,11 @@ spec: type: integer serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -1441,7 +1441,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: @@ -1805,96 +1804,16 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental-e2e rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch - apiGroups: - "*" resources: - "*" verbs: - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/status - verbs: - - patch - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/finalizers + - "*" + - nonResourceURLs: + - "*" verbs: - - update + - "*" --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 @@ -1962,7 +1881,7 @@ metadata: labels: app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: operator-controller-manager-admin-rolebinding + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -2451,7 +2370,6 @@ spec: - --metrics-bind-address=:8443 - --pprof-bind-address=:6060 - --leader-elect - - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true - --feature-gates=BoxcutterRuntime=true - --feature-gates=DeploymentConfig=true diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index dd641cb9b2..717be6ee81 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1084,11 +1084,11 @@ spec: type: integer serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -1402,7 +1402,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: @@ -1766,96 +1765,16 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch - apiGroups: - "*" resources: - "*" verbs: - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/status - verbs: - - patch - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/finalizers + - "*" + - nonResourceURLs: + - "*" verbs: - - update + - "*" --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 @@ -1923,7 +1842,7 @@ metadata: labels: app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: operator-controller-manager-admin-rolebinding + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -2357,7 +2276,6 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - --leader-elect - - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true - --feature-gates=BoxcutterRuntime=true - --feature-gates=DeploymentConfig=true diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 0d6060a1b9..7994e6e2ae 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -779,11 +779,11 @@ spec: rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -1097,7 +1097,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: @@ -1378,64 +1377,15 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e rules: - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - apiextensions.k8s.io + - "*" resources: - - customresourcedefinitions + - "*" verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles + - "*" + - nonResourceURLs: + - "*" verbs: - - list - - watch + - "*" --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/standard.yaml b/manifests/standard.yaml index b337169e27..19e133bc70 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -740,11 +740,11 @@ spec: rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") serviceAccount: description: |- - serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster - that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - The serviceAccount field is required. + serviceAccount was previously used to specify a ServiceAccount for managing the extension. + This field is now deprecated and ignored. operator-controller uses its own ServiceAccount + for all Kubernetes API interactions. + + Deprecated: This field is ignored. It will be removed in a future API version. properties: name: description: |- @@ -1058,7 +1058,6 @@ spec: has(self.catalog) : !has(self.catalog)' required: - namespace - - serviceAccount - source type: object status: @@ -1339,64 +1338,15 @@ metadata: olm.operatorframework.io/feature-set: standard rules: - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - apiextensions.k8s.io + - "*" resources: - - customresourcedefinitions + - "*" verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles + - "*" + - nonResourceURLs: + - "*" verbs: - - list - - watch + - "*" --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/mkdocs.yml b/mkdocs.yml index e891896222..9074aa92c3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -40,9 +40,9 @@ nav: - Version Pinning: howto/how-to-pin-version.md - Version Range Upgrades: howto/how-to-version-range-upgrades.md - Z-Stream Upgrades: howto/how-to-z-stream-upgrades.md - - Derive Service Account Permissions: howto/derive-service-account.md - Grant Access to Your Extension's API: howto/how-to-grant-api-access.md - Conceptual Guides: + - Permission Model: concepts/permission-model.md - Single Owner Objects: concepts/single-owner-objects.md - Upgrade Support: concepts/upgrade-support.md - CRD Upgrade Safety: concepts/crd-upgrade-safety.md diff --git a/test/e2e/README.md b/test/e2e/README.md index 5f9957c5a6..cddde24abe 100644 --- a/test/e2e/README.md +++ b/test/e2e/README.md @@ -33,8 +33,6 @@ test/e2e/ ├── steps.go # Step definition implementations ├── hooks.go # Test hooks and scenario context └── testdata/ # Test data (RBAC templates, catalogs) - ├── rbac-template.yaml - ├── cluster-admin-rbac-template.yaml ├── metrics-reader-rbac-template.yaml ├── test-catalog-template.yaml ├── extra-catalog-template.yaml @@ -75,7 +73,6 @@ Feature: Install ClusterExtension Background: Given OLM is available And "test" catalog serves bundles - And Service account "olm-sa" with needed permissions is available in test namespace Scenario: Install latest available version from the default channel When ClusterExtension is applied @@ -86,8 +83,6 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -95,7 +90,6 @@ Feature: Install ClusterExtension selector: matchLabels: "olm.operatorframework.io/metadata.name": test-catalog - ... """ Then ClusterExtension is rolled out And ClusterExtension is available diff --git a/test/e2e/features/install.feature b/test/e2e/features/install.feature index ce3fb34302..2f94d8a659 100644 --- a/test/e2e/features/install.feature +++ b/test/e2e/features/install.feature @@ -6,7 +6,6 @@ Feature: Install ClusterExtension Background: Given OLM is available And ClusterCatalog "test" serves bundles - And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} Scenario: Install latest available version When ClusterExtension is applied @@ -17,8 +16,6 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -34,8 +31,7 @@ Feature: Install ClusterExtension And resource "configmap/test-configmap" is installed And resource "deployment/test-operator" is installed - @mirrored-registry - Scenario Outline: Install latest available version from mirrored registry + Scenario: SingleNamespace-only bundle installs in AllNamespaces mode When ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 @@ -44,52 +40,19 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: - packageName: + packageName: single-namespace-operator selector: matchLabels: "olm.operatorframework.io/metadata.name": test-catalog """ Then ClusterExtension is rolled out And ClusterExtension is available - And bundle "-operator.1.2.0" is installed in version "1.2.0" - And resource "networkpolicy/test-operator-network-policy" is installed - And resource "configmap/test-configmap" is installed - And resource "deployment/test-operator" is installed + And operator "single-namespace-operator" target namespace is "" - Examples: - | package-name | - | test-mirrored | - | dynamic | - - - Scenario: Report that bundle cannot be installed when it exists in multiple catalogs with same priority - Given ClusterCatalog "extra" serves bundles - When ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa - source: - sourceType: Catalog - catalog: - packageName: test - """ - Then ClusterExtension reports Progressing as True with Reason Retrying and Message: - """ - found bundles for package "test" in multiple catalogs with the same priority [extra-catalog test-catalog] - """ - - Scenario: Report error when ServiceAccount does not exist + Scenario: Install succeeds even when serviceAccount references a non-existent SA When ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 @@ -108,45 +71,13 @@ Feature: Install ClusterExtension matchLabels: "olm.operatorframework.io/metadata.name": test-catalog """ - Then ClusterExtension reports Progressing as True with Reason Retrying and Message includes: - """ - operation cannot proceed due to the following validation error(s): service account "non-existent-sa" not found in namespace "${TEST_NAMESPACE}" - """ + Then ClusterExtension is rolled out + And ClusterExtension is available + And bundle "test-operator.1.2.0" is installed in version "1.2.0" - @SingleOwnNamespaceInstallSupport - Scenario: watchNamespace config is required for extension supporting single namespace - Given ServiceAccount "olm-admin" in test namespace is cluster admin - And resource is applied - """ - apiVersion: v1 - kind: Namespace - metadata: - name: single-namespace-operator-target - """ - And ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - source: - sourceType: Catalog - catalog: - packageName: single-namespace-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - And ClusterExtension reports Progressing as False with Reason InvalidConfiguration and Message: - """ - error for resolved bundle "single-namespace-operator.1.0.0" with version "1.0.0": - invalid ClusterExtension configuration: invalid configuration: required field "watchNamespace" is missing - """ - When ClusterExtension is updated to set config.watchNamespace field + @mirrored-registry + Scenario Outline: Install latest available version from mirrored registry + When ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension @@ -154,52 +85,30 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - config: - configType: Inline - inline: - watchNamespace: single-namespace-operator-target # added source: sourceType: Catalog catalog: - packageName: single-namespace-operator + packageName: selector: matchLabels: "olm.operatorframework.io/metadata.name": test-catalog """ - Then ClusterExtension reports Installed as True - And bundle "single-namespace-operator.1.0.0" is installed in version "1.0.0" - And operator "single-namespace-operator" target namespace is "single-namespace-operator-target" + Then ClusterExtension is rolled out + And ClusterExtension is available + And bundle "-operator.1.2.0" is installed in version "1.2.0" + And resource "networkpolicy/test-operator-network-policy" is installed + And resource "configmap/test-configmap" is installed + And resource "deployment/test-operator" is installed - @SingleOwnNamespaceInstallSupport - Scenario: watchNamespace config is required for extension supporting own namespace - Given ServiceAccount "olm-admin" in test namespace is cluster admin - And ClusterExtension is applied without the watchNamespace configuration - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - source: - sourceType: Catalog - catalog: - packageName: own-namespace-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - And ClusterExtension reports Progressing as False with Reason InvalidConfiguration and Message: - """ - error for resolved bundle "own-namespace-operator.1.0.0" with version - "1.0.0": invalid ClusterExtension configuration: invalid configuration: required - field "watchNamespace" is missing - """ - And ClusterExtension is updated to include the watchNamespace configuration + Examples: + | package-name | + | test-mirrored | + | dynamic | + + + Scenario: Report that bundle cannot be installed when it exists in multiple catalogs with same priority + Given ClusterCatalog "extra" serves bundles + When ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension @@ -207,57 +116,18 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - config: - configType: Inline - inline: - watchNamespace: some-ns # added, but not own namespace source: sourceType: Catalog catalog: - packageName: own-namespace-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - And ClusterExtension reports Progressing as False with Reason InvalidConfiguration and Message: - """ - error for resolved bundle "own-namespace-operator.1.0.0" with version - "1.0.0": invalid ClusterExtension configuration: invalid configuration: invalid - format for field "watchNamespace": 'some-ns' is not valid ownNamespaceInstallMode: - invalid value "some-ns": must be "${TEST_NAMESPACE}" (the namespace where the - operator is installed) because this operator only supports OwnNamespace install mode + packageName: test """ - When ClusterExtension is updated to set watchNamespace to own namespace value + Then ClusterExtension reports Progressing as True with Reason Retrying and Message: """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - config: - configType: Inline - inline: - watchNamespace: ${TEST_NAMESPACE} # own namespace - source: - sourceType: Catalog - catalog: - packageName: own-namespace-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog + found bundles for package "test" in multiple catalogs with the same priority [extra-catalog test-catalog] """ - Then ClusterExtension is rolled out - And ClusterExtension is available - And operator "own-namespace-operator" target namespace is "${TEST_NAMESPACE}" @WebhookProviderCertManager Scenario: Install operator having webhooks - Given ServiceAccount "olm-admin" in test namespace is cluster admin When ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 @@ -266,8 +136,6 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin source: sourceType: Catalog catalog: @@ -322,67 +190,6 @@ Feature: Install ClusterExtension mutate: true """ - @SingleOwnNamespaceInstallSupport - Scenario: Report failure when watchNamespace has invalid DNS-1123 name - Given ServiceAccount "olm-admin" in test namespace is cluster admin - When ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - config: - configType: Inline - inline: - watchNamespace: invalid-namespace- - source: - sourceType: Catalog - catalog: - packageName: single-namespace-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - Then ClusterExtension reports Progressing as False with Reason InvalidConfiguration and Message includes: - """ - invalid ClusterExtension configuration: invalid configuration: field "watchNamespace" must match pattern - """ - - @SingleOwnNamespaceInstallSupport - @WebhookProviderCertManager - Scenario: Reject watchNamespace for operator that does not support Single/OwnNamespace install modes - Given ServiceAccount "olm-admin" in test namespace is cluster admin - When ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-admin - config: - configType: Inline - inline: - watchNamespace: ${TEST_NAMESPACE} - source: - sourceType: Catalog - catalog: - packageName: webhook-operator - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - Then ClusterExtension reports Progressing as False with Reason InvalidConfiguration and Message includes: - """ - invalid ClusterExtension configuration: invalid configuration: unknown field "watchNamespace" - """ - @BoxcutterRuntime @ProgressDeadline Scenario: Report ClusterExtension as not progressing if the rollout does not become available within given timeout @@ -397,8 +204,6 @@ Feature: Install ClusterExtension spec: namespace: ${TEST_NAMESPACE} progressDeadlineMinutes: 1 - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -430,8 +235,6 @@ Feature: Install ClusterExtension spec: namespace: ${TEST_NAMESPACE} progressDeadlineMinutes: 1 - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -458,8 +261,6 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -485,8 +286,6 @@ Feature: Install ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: diff --git a/test/e2e/features/recover.feature b/test/e2e/features/recover.feature index c222756a47..c2ed77567e 100644 --- a/test/e2e/features/recover.feature +++ b/test/e2e/features/recover.feature @@ -5,8 +5,7 @@ Feature: Recover cluster extension from errors that might occur during its lifet And ClusterCatalog "test" serves bundles Scenario: Restore removed resource - Given ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - And ClusterExtension is applied + Given ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension @@ -14,8 +13,6 @@ Feature: Recover cluster extension from errors that might occur during its lifet name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -29,33 +26,8 @@ Feature: Recover cluster extension from errors that might occur during its lifet When resource "configmap/test-configmap" is removed Then resource "configmap/test-configmap" is eventually restored - Scenario: Install ClusterExtension after target namespace becomes available - Given ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa - source: - sourceType: Catalog - catalog: - packageName: test - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - And ClusterExtension reports Progressing as True with Reason Retrying - When ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - Then ClusterExtension is available - And ClusterExtension reports Progressing as True with Reason Succeeded - Scenario: Install ClusterExtension after conflicting resource is removed - Given ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - And resource is applied + Given resource is applied """ apiVersion: apps/v1 kind: Deployment @@ -98,8 +70,6 @@ Feature: Recover cluster extension from errors that might occur during its lifet name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -115,43 +85,8 @@ Feature: Recover cluster extension from errors that might occur during its lifet And ClusterExtension reports Progressing as True with Reason Succeeded And ClusterExtension reports Installed as True - @PreflightPermissions - Scenario: ClusterExtension installation succeeds after service account gets the required missing permissions to - manage the bundle's resources - Given ServiceAccount "olm-sa" is available in ${TEST_NAMESPACE} - And ClusterExtension is applied - """ - apiVersion: olm.operatorframework.io/v1 - kind: ClusterExtension - metadata: - name: ${NAME} - spec: - namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa - source: - sourceType: Catalog - catalog: - packageName: test - selector: - matchLabels: - "olm.operatorframework.io/metadata.name": test-catalog - """ - And ClusterExtension reports Progressing as True with Reason Retrying and Message includes: - """ - error for resolved bundle "test-operator.1.2.0" with version "1.2.0": creating new Revision: pre-authorization failed: service account requires the following permissions to manage cluster extension: - """ - And ClusterExtension reports Progressing as True with Reason Retrying and Message includes: - """ - Namespace:"" APIGroups:[apiextensions.k8s.io] Resources:[customresourcedefinitions] ResourceNames:[olme2etests.olm.operatorframework.io] Verbs:[delete,get,patch,update] - """ - When ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - Then ClusterExtension is available - And ClusterExtension reports Progressing as True with Reason Succeeded - And ClusterExtension reports Installed as True - # CATALOG DELETION RESILIENCE SCENARIOS - + Scenario: Auto-healing continues working after catalog deletion # This test proves that extensions continue to auto-heal (restore deleted resources) even when # their source catalog is unavailable. We verify this by: @@ -163,8 +98,7 @@ Feature: Recover cluster extension from errors that might occur during its lifet # - If the controller stopped reconciling, the configmap would stay deleted # - Resource restoration is an observable event that PROVES active reconciliation # - The deployment staying healthy proves the workload continues running - Given ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - And ClusterExtension is applied + Given ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension @@ -172,8 +106,6 @@ Feature: Recover cluster extension from errors that might occur during its lifet name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -203,8 +135,7 @@ Feature: Recover cluster extension from errors that might occur during its lifet # - Reconciliation completing (observedGeneration == generation) proves the spec was processed # - Progressing=Succeeded proves the controller didn't block on missing catalog # - Extension staying Available proves workload continues running - Given ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} - And ClusterExtension is applied + Given ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension @@ -212,8 +143,6 @@ Feature: Recover cluster extension from errors that might occur during its lifet name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -233,8 +162,6 @@ Feature: Recover cluster extension from errors that might occur during its lifet name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa install: preflight: crdUpgradeSafety: diff --git a/test/e2e/features/status.feature b/test/e2e/features/status.feature index 5c8a3141d6..13ee26576a 100644 --- a/test/e2e/features/status.feature +++ b/test/e2e/features/status.feature @@ -6,7 +6,6 @@ Feature: Report status of the managed ClusterExtension workload Background: Given OLM is available And ClusterCatalog "test" serves bundles - And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} And ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 @@ -15,8 +14,6 @@ Feature: Report status of the managed ClusterExtension workload name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -42,4 +39,4 @@ Feature: Report status of the managed ClusterExtension workload And ClusterExtensionRevision "${NAME}-1" reports Available as False with Reason ProbeFailure When resource "deployment/test-operator" reports as ready Then ClusterExtension is available - And ClusterExtensionRevision "${NAME}-1" reports Available as True with Reason ProbesSucceeded \ No newline at end of file + And ClusterExtensionRevision "${NAME}-1" reports Available as True with Reason ProbesSucceeded diff --git a/test/e2e/features/uninstall.feature b/test/e2e/features/uninstall.feature index e14b8494fe..99000de96b 100644 --- a/test/e2e/features/uninstall.feature +++ b/test/e2e/features/uninstall.feature @@ -6,7 +6,6 @@ Feature: Uninstall ClusterExtension Background: Given OLM is available And ClusterCatalog "test" serves bundles - And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} And ClusterExtension is applied """ apiVersion: olm.operatorframework.io/v1 @@ -15,8 +14,6 @@ Feature: Uninstall ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -32,11 +29,3 @@ Feature: Uninstall ClusterExtension Scenario: Removing ClusterExtension triggers the extension uninstall, eventually removing all installed resources When ClusterExtension is removed Then the ClusterExtension's constituent resources are removed - - Scenario: Removing ClusterExtension resources leads to all installed resources being removed even if the service account is no longer present - When resource "serviceaccount/olm-sa" is removed - # Ensure service account is gone before checking to ensure resources are cleaned up whether the service account - # and its permissions are present on the cluster or not - And resource "serviceaccount/olm-sa" is eventually not found - And ClusterExtension is removed - Then the ClusterExtension's constituent resources are removed diff --git a/test/e2e/features/update.feature b/test/e2e/features/update.feature index e1b4becca9..454b167a1c 100644 --- a/test/e2e/features/update.feature +++ b/test/e2e/features/update.feature @@ -6,7 +6,6 @@ Feature: Update ClusterExtension Background: Given OLM is available And ClusterCatalog "test" serves bundles - And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} Scenario: Update to a successor version Given ClusterExtension is applied @@ -17,8 +16,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -44,8 +41,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -65,8 +60,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -90,8 +83,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -111,8 +102,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -137,8 +126,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -152,7 +139,7 @@ Feature: Update ClusterExtension And bundle "test-operator.1.2.0" is installed in version "1.2.0" When ClusterCatalog "test" is updated to version "v2" Then bundle "test-operator.1.3.0" is installed in version "1.3.0" - + Scenario: Auto update when new version becomes available in the same catalog image ref Given "test" catalog image version "v1" is also tagged as "latest" And ClusterCatalog "test" is updated to version "latest" @@ -164,8 +151,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -190,8 +175,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -224,8 +207,6 @@ Feature: Update ClusterExtension name: ${NAME} spec: namespace: ${TEST_NAMESPACE} - serviceAccount: - name: olm-sa source: sourceType: Catalog catalog: @@ -242,4 +223,3 @@ Feature: Update ClusterExtension Then ClusterExtension reports "${NAME}-1, ${NAME}-2" as active revisions And ClusterExtensionRevision "${NAME}-2" reports Progressing as True with Reason RollingOut And ClusterExtensionRevision "${NAME}-2" reports Available as False with Reason ProbeFailure - diff --git a/test/e2e/steps/hooks.go b/test/e2e/steps/hooks.go index 9291380460..fc811a7533 100644 --- a/test/e2e/steps/hooks.go +++ b/test/e2e/steps/hooks.go @@ -65,9 +65,6 @@ var ( devMode = false featureGates = map[featuregate.Feature]bool{ features.WebhookProviderCertManager: true, - features.PreflightPermissions: false, - features.SingleOwnNamespaceInstallSupport: true, - features.SyntheticPermissions: false, features.WebhookProviderOpenshiftServiceCA: false, features.HelmChartSupport: false, features.BoxcutterRuntime: false, @@ -146,6 +143,13 @@ func CreateScenarioContext(ctx context.Context, sc *godog.Scenario) (context.Con namespace: fmt.Sprintf("ns-%s", sc.Id), clusterExtensionName: fmt.Sprintf("ce-%s", sc.Id), } + + // Create the test namespace for this scenario + nsYaml := fmt.Sprintf("apiVersion: v1\nkind: Namespace\nmetadata:\n name: %s", scCtx.namespace) + if _, err := k8scliWithInput(nsYaml, "apply", "-f", "-"); err != nil { + return ctx, fmt.Errorf("failed to create test namespace %s: %v", scCtx.namespace, err) + } + return context.WithValue(ctx, scenarioContextKey, scCtx), nil } @@ -161,16 +165,13 @@ func stderrOutput(err error) string { return "" } -func ScenarioCleanup(ctx context.Context, _ *godog.Scenario, err error) (context.Context, error) { +func ScenarioCleanup(ctx context.Context, _ *godog.Scenario, scenarioErr error) (context.Context, error) { sc := scenarioCtx(ctx) for _, bgCmd := range sc.backGroundCmds { if p := bgCmd.Process; p != nil { _ = p.Kill() } } - if err != nil { - return ctx, err - } forDeletion := []resource{} if sc.clusterExtensionName != "" { @@ -184,5 +185,5 @@ func ScenarioCleanup(ctx context.Context, _ *godog.Scenario, err error) (context } } }() - return ctx, nil + return ctx, scenarioErr } diff --git a/test/e2e/steps/steps.go b/test/e2e/steps/steps.go index abea3fcb22..2a14bca0c3 100644 --- a/test/e2e/steps/steps.go +++ b/test/e2e/steps/steps.go @@ -89,10 +89,6 @@ func RegisterSteps(sc *godog.ScenarioContext) { sc.Step(`^(?i)resource "([^"]+)" is eventually restored$`, ResourceRestored) sc.Step(`^(?i)resource "([^"]+)" matches$`, ResourceMatches) - sc.Step(`^(?i)ServiceAccount "([^"]*)" with needed permissions is available in test namespace$`, ServiceAccountWithNeededPermissionsIsAvailableInNamespace) - sc.Step(`^(?i)ServiceAccount "([^"]*)" with needed permissions is available in \${TEST_NAMESPACE}$`, ServiceAccountWithNeededPermissionsIsAvailableInNamespace) - sc.Step(`^(?i)ServiceAccount "([^"]*)" is available in \${TEST_NAMESPACE}$`, ServiceAccountIsAvailableInNamespace) - sc.Step(`^(?i)ServiceAccount "([^"]*)" in test namespace is cluster admin$`, ServiceAccountWithClusterAdminPermissionsIsAvailableInNamespace) sc.Step(`^(?i)ServiceAccount "([^"]+)" in test namespace has permissions to fetch "([^"]+)" metrics$`, ServiceAccountWithFetchMetricsPermissions) sc.Step(`^(?i)ServiceAccount "([^"]+)" sends request to "([^"]+)" endpoint of "([^"]+)" service$`, SendMetricsRequest) @@ -104,7 +100,7 @@ func RegisterSteps(sc *godog.ScenarioContext) { sc.Step(`^(?i)ClusterCatalog "([^"]+)" image version "([^"]+)" is also tagged as "([^"]+)"$`, TagCatalogImage) sc.Step(`^(?i)ClusterCatalog "([^"]+)" is deleted$`, CatalogIsDeleted) - sc.Step(`^(?i)operator "([^"]+)" target namespace is "([^"]+)"$`, OperatorTargetNamespace) + sc.Step(`^(?i)operator "([^"]+)" target namespace is "([^"]*)"$`, OperatorTargetNamespace) sc.Step(`^(?i)Prometheus metrics are returned in the response$`, PrometheusMetricsAreReturned) sc.Step(`^(?i)min value for (ClusterExtension|ClusterExtensionRevision) ((?:\.[a-zA-Z]+)+) is set to (\d+)$`, SetCRDFieldMinValue) @@ -760,75 +756,28 @@ func ResourceRestored(ctx context.Context, resource string) error { return nil } -func applyServiceAccount(ctx context.Context, serviceAccount string) error { +// ServiceAccountWithFetchMetricsPermissions creates a ServiceAccount and applies metrics-reader RBAC for the specified controller. +func ServiceAccountWithFetchMetricsPermissions(ctx context.Context, serviceAccount string, controllerName string) error { sc := scenarioCtx(ctx) vars := extendMap(map[string]string{ - "TEST_NAMESPACE": sc.namespace, - "SERVICE_ACCOUNT_NAME": serviceAccount, - "SERVICEACCOUNT_NAME": serviceAccount, + "TEST_NAMESPACE": sc.namespace, + "SERVICEACCOUNT_NAME": serviceAccount, + "CONTROLLER_NAME": controllerName, }) - yaml, err := templateYaml(filepath.Join("steps", "testdata", "serviceaccount-template.yaml"), vars) - if err != nil { - return fmt.Errorf("failed to template ServiceAccount yaml: %v", err) - } - - // Apply the ServiceAccount configuration - _, err = k8scliWithInput(yaml, "apply", "-f", "-") - if err != nil { - return fmt.Errorf("failed to apply ServiceAccount configuration: %v: %s", err, stderrOutput(err)) - } - - return nil -} - -func applyPermissionsToServiceAccount(ctx context.Context, serviceAccount, rbacTemplate string, keyValue ...string) error { - sc := scenarioCtx(ctx) - if err := applyServiceAccount(ctx, serviceAccount); err != nil { - return err - } - vars := extendMap(map[string]string{ - "TEST_NAMESPACE": sc.namespace, - "SERVICE_ACCOUNT_NAME": serviceAccount, - "SERVICEACCOUNT_NAME": serviceAccount, - "CLUSTER_EXTENSION_NAME": sc.clusterExtensionName, - "CLUSTEREXTENSION_NAME": sc.clusterExtensionName, - }, keyValue...) - - yaml, err := templateYaml(filepath.Join("steps", "testdata", rbacTemplate), vars) + yaml, err := templateYaml(filepath.Join("steps", "testdata", "metrics-reader-rbac-template.yaml"), vars) if err != nil { - return fmt.Errorf("failed to template RBAC yaml: %v", err) + return fmt.Errorf("failed to template metrics-reader RBAC yaml: %v", err) } - // Apply the RBAC configuration _, err = k8scliWithInput(yaml, "apply", "-f", "-") if err != nil { - return fmt.Errorf("failed to apply RBAC configuration: %v: %s", err, stderrOutput(err)) + return fmt.Errorf("failed to apply metrics-reader RBAC: %v: %s", err, stderrOutput(err)) } return nil } -// ServiceAccountIsAvailableInNamespace creates a ServiceAccount in the test namespace without RBAC permissions. -func ServiceAccountIsAvailableInNamespace(ctx context.Context, serviceAccount string) error { - return applyServiceAccount(ctx, serviceAccount) -} - -// ServiceAccountWithNeededPermissionsIsAvailableInNamespace creates a ServiceAccount and applies standard RBAC permissions. -func ServiceAccountWithNeededPermissionsIsAvailableInNamespace(ctx context.Context, serviceAccount string) error { - return applyPermissionsToServiceAccount(ctx, serviceAccount, "rbac-template.yaml") -} - -// ServiceAccountWithClusterAdminPermissionsIsAvailableInNamespace creates a ServiceAccount and applies cluster-admin RBAC. -func ServiceAccountWithClusterAdminPermissionsIsAvailableInNamespace(ctx context.Context, serviceAccount string) error { - return applyPermissionsToServiceAccount(ctx, serviceAccount, "cluster-admin-rbac-template.yaml") -} - -// ServiceAccountWithFetchMetricsPermissions creates a ServiceAccount and applies metrics-reader RBAC for the specified controller. -func ServiceAccountWithFetchMetricsPermissions(ctx context.Context, serviceAccount string, controllerName string) error { - return applyPermissionsToServiceAccount(ctx, serviceAccount, "metrics-reader-rbac-template.yaml", "CONTROLLER_NAME", controllerName) -} - func httpGet(url string, token string) (*http.Response, error) { tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // we don't care about the certificate diff --git a/test/e2e/steps/testdata/cluster-admin-rbac-template.yaml b/test/e2e/steps/testdata/cluster-admin-rbac-template.yaml deleted file mode 100644 index c020c7ca55..0000000000 --- a/test/e2e/steps/testdata/cluster-admin-rbac-template.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${TEST_NAMESPACE} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ${SERVICEACCOUNT_NAME} - namespace: ${TEST_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-cluster-admin-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: ${SERVICEACCOUNT_NAME} - namespace: ${TEST_NAMESPACE} diff --git a/test/e2e/steps/testdata/metrics-reader-rbac-template.yaml b/test/e2e/steps/testdata/metrics-reader-rbac-template.yaml index 4001f86812..a97a37fe46 100644 --- a/test/e2e/steps/testdata/metrics-reader-rbac-template.yaml +++ b/test/e2e/steps/testdata/metrics-reader-rbac-template.yaml @@ -1,10 +1,5 @@ --- apiVersion: v1 -kind: Namespace -metadata: - name: ${TEST_NAMESPACE} ---- -apiVersion: v1 kind: ServiceAccount metadata: name: ${SERVICEACCOUNT_NAME} diff --git a/test/e2e/steps/testdata/rbac-template.yaml b/test/e2e/steps/testdata/rbac-template.yaml deleted file mode 100644 index 90138b9c69..0000000000 --- a/test/e2e/steps/testdata/rbac-template.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${TEST_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole -rules: - - apiGroups: [olm.operatorframework.io] - resources: [clusterextensions, clusterextensions/finalizers] - resourceNames: ["${CLUSTEREXTENSION_NAME}"] - verbs: [update] - # Allow ClusterExtensionRevisions to set blockOwnerDeletion ownerReferences - - apiGroups: [olm.operatorframework.io] - resources: [clusterextensionrevisions, clusterextensionrevisions/finalizers] - verbs: [update, create, list, watch, get, delete, patch] - - apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [update, create, list, watch, get, delete, patch] - - apiGroups: [""] - resources: - - configmaps - - secrets - - services - - serviceaccounts - - events - - namespaces - verbs: [update, create, list, watch, get, delete, patch] - - apiGroups: ["apps"] - resources: - - deployments - verbs: [ update, create, list, watch, get, delete, patch ] - - apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: [ update, create, list, watch, get, delete, patch ] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: - - clusterroles - - roles - - clusterrolebindings - - rolebindings - verbs: [ update, create, list, watch, get, delete, patch ] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: [ update, create, list, watch, get, delete, patch ] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: [create] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: [create] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-install-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole -subjects: - - kind: ServiceAccount - name: ${SERVICEACCOUNT_NAME} - namespace: ${TEST_NAMESPACE} diff --git a/test/e2e/steps/testdata/serviceaccount-template.yaml b/test/e2e/steps/testdata/serviceaccount-template.yaml deleted file mode 100644 index 5d1c464493..0000000000 --- a/test/e2e/steps/testdata/serviceaccount-template.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${TEST_NAMESPACE} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ${SERVICEACCOUNT_NAME} - namespace: ${TEST_NAMESPACE} \ No newline at end of file diff --git a/test/extension-developer-e2e/extension_developer_test.go b/test/extension-developer-e2e/extension_developer_test.go index a71f1f83d6..434cc31a83 100644 --- a/test/extension-developer-e2e/extension_developer_test.go +++ b/test/extension-developer-e2e/extension_developer_test.go @@ -2,19 +2,15 @@ package extensione2e import ( "context" - "fmt" "os" "testing" "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/rand" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -28,9 +24,6 @@ func TestExtensionDeveloper(t *testing.T) { scheme := runtime.NewScheme() require.NoError(t, ocv1.AddToScheme(scheme)) - require.NoError(t, ocv1.AddToScheme(scheme)) - require.NoError(t, corev1.AddToScheme(scheme)) - require.NoError(t, rbacv1.AddToScheme(scheme)) require.NotEmpty(t, os.Getenv("CATALOG_IMG"), "environment variable CATALOG_IMG must be set") require.NotEmpty(t, os.Getenv("REG_PKG_NAME"), "environment variable REG_PKG_NAME must be set") @@ -53,18 +46,10 @@ func TestExtensionDeveloper(t *testing.T) { }, }, } - require.NoError(t, c.Create(context.Background(), catalog)) + require.NoError(t, c.Create(ctx, catalog)) installNamespace := "default" - sa := &corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("serviceaccount-%s", rand.String(8)), - Namespace: installNamespace, - }, - } - require.NoError(t, c.Create(ctx, sa)) - clusterExtension := &ocv1.ClusterExtension{ ObjectMeta: metav1.ObjectMeta{ Name: "registryv1", @@ -77,138 +62,20 @@ func TestExtensionDeveloper(t *testing.T) { }, }, Namespace: installNamespace, - ServiceAccount: ocv1.ServiceAccountReference{ - Name: sa.Name, - }, - }, - } - - cr := &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("clusterrole-%s", rand.String(8)), - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ - "olm.operatorframework.io", - }, - Resources: []string{ - "clusterextensions/finalizers", - }, - Verbs: []string{ - "update", - }, - ResourceNames: []string{clusterExtension.Name}, - }, - { - APIGroups: []string{ - "", - }, - Resources: []string{ - "configmaps", - "services", - "serviceaccounts", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "apiextensions.k8s.io", - }, - Resources: []string{ - "customresourcedefinitions", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "apps", - }, - Resources: []string{ - "deployments", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "rbac.authorization.k8s.io", - }, - Resources: []string{ - "clusterroles", - "roles", - "clusterrolebindings", - "rolebindings", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - "bind", - "escalate", - }, - }, - }, - } - require.NoError(t, c.Create(ctx, cr)) - - crb := &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("clusterrolebinding-%s", rand.String(8)), - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: sa.Name, - Namespace: sa.Namespace, - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: cr.Name, }, } - require.NoError(t, c.Create(ctx, crb)) t.Logf("When creating an ClusterExtension that references a package with a %q bundle type", clusterExtension.Name) - require.NoError(t, c.Create(context.Background(), clusterExtension)) + require.NoError(t, c.Create(ctx, clusterExtension)) t.Log("It should have a status condition type of Installed with a status of True and a reason of Success") require.EventuallyWithT(t, func(ct *assert.CollectT) { ext := &ocv1.ClusterExtension{} - require.NoError(ct, c.Get(context.Background(), client.ObjectKeyFromObject(clusterExtension), ext)) + require.NoError(ct, c.Get(ctx, client.ObjectKeyFromObject(clusterExtension), ext)) cond := meta.FindStatusCondition(ext.Status.Conditions, ocv1.TypeInstalled) require.NotNil(ct, cond) require.Equal(ct, metav1.ConditionTrue, cond.Status) require.Equal(ct, ocv1.ReasonSucceeded, cond.Reason) }, 2*time.Minute, time.Second) - require.NoError(t, c.Delete(context.Background(), catalog)) - require.NoError(t, c.Delete(context.Background(), clusterExtension)) + require.NoError(t, c.Delete(ctx, catalog)) + require.NoError(t, c.Delete(ctx, clusterExtension)) } diff --git a/test/helpers/helpers.go b/test/helpers/helpers.go index af142c6e34..51defba60e 100644 --- a/test/helpers/helpers.go +++ b/test/helpers/helpers.go @@ -53,167 +53,8 @@ func CreateNamespace(ctx context.Context, name string) (*corev1.Namespace, error return ns, nil } -func CreateServiceAccount(ctx context.Context, name types.NamespacedName, clusterExtensionName string) (*corev1.ServiceAccount, error) { - sa := &corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: name.Name, - Namespace: name.Namespace, - }, - } - err := c.Create(ctx, sa) - if err != nil { - return nil, err - } - - return sa, CreateClusterRoleAndBindingForSA(ctx, name.Name, sa, clusterExtensionName) -} - -func CreateClusterRoleAndBindingForSA(ctx context.Context, name string, sa *corev1.ServiceAccount, clusterExtensionName string) error { - cr := &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ - "olm.operatorframework.io", - }, - Resources: []string{ - "clusterextensions/finalizers", - }, - Verbs: []string{ - "update", - }, - ResourceNames: []string{clusterExtensionName}, - }, - { - APIGroups: []string{ - "", - }, - Resources: []string{ - "configmaps", - "secrets", // for helm - "services", - "serviceaccounts", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "apiextensions.k8s.io", - }, - Resources: []string{ - "customresourcedefinitions", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "apps", - }, - Resources: []string{ - "deployments", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{ - "rbac.authorization.k8s.io", - }, - Resources: []string{ - "clusterroles", - "roles", - "clusterrolebindings", - "rolebindings", - }, - Verbs: []string{ - "create", - "update", - "delete", - "patch", - "get", - "list", - "watch", - "bind", - "escalate", - }, - }, - { - APIGroups: []string{ - "networking.k8s.io", - }, - Resources: []string{ - "networkpolicies", - }, - Verbs: []string{ - "get", - "list", - "watch", - "create", - "update", - "patch", - "delete", - }, - }, - }, - } - err := c.Create(ctx, cr) - if err != nil { - return err - } - crb := &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: sa.Name, - Namespace: sa.Namespace, - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: name, - }, - } - err = c.Create(ctx, crb) - if err != nil { - return err - } - - return nil -} - -func TestInit(t *testing.T) (*ocv1.ClusterExtension, *ocv1.ClusterCatalog, *corev1.ServiceAccount, *corev1.Namespace) { - ce, cc := TestInitClusterExtensionClusterCatalog(t) - sa, ns := TestInitServiceAccountNamespace(t, ce.Name) - return ce, cc, sa, ns +func TestInit(t *testing.T) (*ocv1.ClusterExtension, *ocv1.ClusterCatalog) { + return TestInitClusterExtensionClusterCatalog(t) } func TestInitClusterExtensionClusterCatalog(t *testing.T) (*ocv1.ClusterExtension, *ocv1.ClusterCatalog) { @@ -234,23 +75,6 @@ func TestInitClusterExtensionClusterCatalog(t *testing.T) (*ocv1.ClusterExtensio return ce, cc } -func TestInitServiceAccountNamespace(t *testing.T, clusterExtensionName string) (*corev1.ServiceAccount, *corev1.Namespace) { - var err error - - ns, err := CreateNamespace(context.Background(), clusterExtensionName) - require.NoError(t, err) - - name := types.NamespacedName{ - Name: clusterExtensionName, - Namespace: ns.GetName(), - } - - sa, err := CreateServiceAccount(context.Background(), name, clusterExtensionName) - require.NoError(t, err) - - return sa, ns -} - // ValidateCatalogUnpack validates that the test catalog with the default name has unpacked successfully. // Deprecated: Use ValidateCatalogUnpackWithName for tests that use unique catalog names. func ValidateCatalogUnpack(t *testing.T) { @@ -316,7 +140,7 @@ func EnsureNoExtensionResources(t *testing.T, clusterExtensionName string) { }, 2*pollDuration, pollInterval) } -func TestCleanup(t *testing.T, cat *ocv1.ClusterCatalog, clusterExtension *ocv1.ClusterExtension, sa *corev1.ServiceAccount, ns *corev1.Namespace) { +func TestCleanup(t *testing.T, cat *ocv1.ClusterCatalog, clusterExtension *ocv1.ClusterExtension, ns *corev1.Namespace) { if cat != nil { t.Logf("By deleting ClusterCatalog %q", cat.Name) require.NoError(t, c.Delete(context.Background(), cat)) @@ -336,15 +160,6 @@ func TestCleanup(t *testing.T, cat *ocv1.ClusterCatalog, clusterExtension *ocv1. EnsureNoExtensionResources(t, clusterExtension.Name) } - if sa != nil { - t.Logf("By deleting ServiceAccount %q", sa.Name) - require.NoError(t, c.Delete(context.Background(), sa)) - require.Eventually(t, func() bool { - err := c.Get(context.Background(), types.NamespacedName{Name: sa.Name, Namespace: sa.Namespace}, &corev1.ServiceAccount{}) - return errors.IsNotFound(err) - }, pollDuration, pollInterval) - } - if ns != nil { t.Logf("By deleting Namespace %q", ns.Name) require.NoError(t, c.Delete(context.Background(), ns)) diff --git a/test/regression/convert/generate-manifests.go b/test/regression/convert/generate-manifests.go index f10169fed9..b59fdad4fd 100644 --- a/test/regression/convert/generate-manifests.go +++ b/test/regression/convert/generate-manifests.go @@ -61,7 +61,6 @@ func main() { for _, tc := range []struct { name string installNamespace string - watchNamespace string bundle string testCaseName string deploymentConfig *config.DeploymentConfig @@ -71,18 +70,6 @@ func main() { installNamespace: "argocd-system", bundle: "argocd-operator.v0.6.0", testCaseName: "all-namespaces", - }, { - name: "SingleNamespaces", - installNamespace: "argocd-system", - watchNamespace: "argocd-watch", - bundle: "argocd-operator.v0.6.0", - testCaseName: "single-namespace", - }, { - name: "OwnNamespaces", - installNamespace: "argocd-system", - watchNamespace: "argocd-system", - bundle: "argocd-operator.v0.6.0", - testCaseName: "own-namespace", }, { name: "Webhooks", installNamespace: "webhook-system", @@ -241,14 +228,14 @@ func main() { } { bundlePath := filepath.Join(bundleRootDir, tc.bundle) generatedManifestPath := filepath.Join(*outputRootDir, tc.bundle, tc.testCaseName) - if err := generateManifests(generatedManifestPath, bundlePath, tc.installNamespace, tc.watchNamespace, tc.deploymentConfig); err != nil { + if err := generateManifests(generatedManifestPath, bundlePath, tc.installNamespace, tc.deploymentConfig); err != nil { fmt.Printf("Error generating manifests: %v", err) os.Exit(1) } } } -func generateManifests(outputPath, bundleDir, installNamespace, watchNamespace string, deploymentConfig *config.DeploymentConfig) error { +func generateManifests(outputPath, bundleDir, installNamespace string, deploymentConfig *config.DeploymentConfig) error { // Parse bundleFS into RegistryV1 regv1, err := source.FromFS(os.DirFS(bundleDir)).GetBundle() if err != nil { @@ -256,8 +243,13 @@ func generateManifests(outputPath, bundleDir, installNamespace, watchNamespace s os.Exit(1) } - // Convert RegistryV1 to plain manifests - opts := []render.Option{render.WithTargetNamespaces(watchNamespace)} + // All registry+v1 bundles are rendered to watch all namespaces regardless of their + // stated supported install modes in order to align with OLMv1's single-tenant + // cluster-scoped philosophy. + opts := []render.Option{ + render.WithTargetNamespaces(corev1.NamespaceAll), + render.WithSkipInstallModeValidation(), + } if deploymentConfig != nil { opts = append(opts, render.WithDeploymentConfig(deploymentConfig)) } diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml deleted file mode 100644 index 19a68a5707..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: argocd-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml deleted file mode 100644 index d90e1d44b5..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - persistentvolumeclaims - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - argocd-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - argocdexports - - argocdexports/finalizers - - argocdexports/status - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - argocds - - argocds/finalizers - - argocds/status - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - '*' -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - prometheuses - - servicemonitors - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - '*' -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - template.openshift.io - resources: - - templateconfigs - - templateinstances - - templates - verbs: - - '*' -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml deleted file mode 100644 index e1752b965a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -subjects: -- kind: ServiceAccount - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/03_configmap_argocd-operator-manager-config.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/03_configmap_argocd-operator-manager-config.yaml deleted file mode 100644 index 98d1f72c07..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/03_configmap_argocd-operator-manager-config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: b674928d.argoproj.io -kind: ConfigMap -metadata: - name: argocd-operator-manager-config - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/04_customresourcedefinition_applications.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/04_customresourcedefinition_applications.argoproj.io.yaml deleted file mode 100644 index b1f398ec1b..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/04_customresourcedefinition_applications.argoproj.io.yaml +++ /dev/null @@ -1,4018 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applications.argoproj.io - app.kubernetes.io/part-of: argocd - name: applications.argoproj.io -spec: - group: argoproj.io - names: - kind: Application - listKind: ApplicationList - plural: applications - shortNames: - - app - - apps - singular: application - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.sync.status - name: Sync Status - type: string - - jsonPath: .status.health.status - name: Health Status - type: string - - jsonPath: .status.sync.revision - name: Revision - priority: 10 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Application is a definition of Application resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - operation: - description: Operation contains information about a requested or running - operation - properties: - info: - description: Info is a list of informational items for this operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who started - operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent retries - of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default unit - is seconds, but could also be a duration (e.g. "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply --dry-run` - without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides sync - source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from the cluster - that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall be part - of the sync - items: - description: SyncOperationResource contains resources to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version (Helm) - which to sync the application to If omitted, will use the revision - specified in app spec. - type: string - revisions: - description: Revisions is the list of revision (Git) or chart - version (Helm) which to sync each source in sources field for - the application to If omitted, will use the revision specified - in app spec. - items: - type: string - type: array - source: - description: Source overrides the source definition set in the - application. This is typically set in a Rollback operation and - is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by - not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources for - Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be - commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources overrides the source definition set in the - application. This is typically set in a Rollback operation and - is nil during a Sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply will perform a `kubectl apply` to perform - the sync. - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources to - perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - spec: - description: ApplicationSpec represents desired application state. Contains - link to repository with application definition and additional parameters - link definition revision. - properties: - destination: - description: Destination is a reference to the target Kubernetes server - and namespace - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences is a list of resources and their fields - which should be ignored during comparison - items: - description: ResourceIgnoreDifferences contains resource filter - and list of json paths which should be ignored during comparison - with live state. - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - description: ManagedFieldsManagers is a list of trusted managers. - Fields mutated by those managers will take precedence over - the desired state defined in the SCM and won't be displayed - in diffs - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - description: Info contains a list of information (URLs, email addresses, - and plain text) that relates to the application - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - description: Project is a reference to the project this application - belongs to. The empty string means that application belongs to the - 'default' project. - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit limits the number of items kept - in the application's revision history, which is used for informational - purposes as well as for rollbacks to previous versions. This should - only be changed in exceptional circumstances. Setting to zero will - store no history. This will reduce storage used. Increasing will - increase the space used to store the history, so we do not recommend - increasing it. Default is 10. - format: int64 - type: integer - source: - description: Source is a reference to the location of the application's - manifests or chart - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being used - during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels to - add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to force - applying common annotations to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize to - use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be commit, - tag, or branch. If omitted, will equal to HEAD. In case of Helm, - this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the location of the application's - manifests or chart - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being - used during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to - force applying common annotations to resources for Kustomize - apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be commit, - tag, or branch. If omitted, will equal to HEAD. In case of - Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - description: SyncPolicy controls when and how a sync will be performed - properties: - automated: - description: Automated will keep an application synced to the - target revision - properties: - allowEmpty: - description: 'AllowEmpty allows apps have zero live resources - (default: false)' - type: boolean - prune: - description: 'Prune specifies whether to delete resources - from the cluster that are not found in the sources anymore - as part of automated sync (default: false)' - type: boolean - selfHeal: - description: 'SelfHeal specifes whether to revert resources - back to their desired state upon modification in the cluster - (default: false)' - type: boolean - type: object - managedNamespaceMetadata: - description: ManagedNamespaceMetadata controls metadata in the - given namespace (if CreateNamespace=true) - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time - allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - syncOptions: - description: Options allow you to specify whole app sync-options - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - status: - description: ApplicationStatus contains status information for the application - properties: - conditions: - description: Conditions is a list of currently observed application - conditions - items: - description: ApplicationCondition contains details about an application - condition, which is usally an error or warning - properties: - lastTransitionTime: - description: LastTransitionTime is the time the condition was - last observed - format: date-time - type: string - message: - description: Message contains human-readable message indicating - details about condition - type: string - type: - description: Type is an application condition type - type: string - required: - - message - - type - type: object - type: array - health: - description: Health contains information about the application's current - health status - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application or - resource - type: string - type: object - history: - description: History contains information about the application's - sync history - items: - description: RevisionHistory contains history information about - a previous sync - properties: - deployStartedAt: - description: DeployStartedAt holds the time the sync operation - started - format: date-time - type: string - deployedAt: - description: DeployedAt holds the time the sync operation completed - format: date-time - type: string - id: - description: ID is an auto incrementing identifier of the RevisionHistory - format: int64 - type: integer - revision: - description: Revision holds the revision the sync was performed - against - type: string - revisions: - description: Revisions holds the revision of each source in - sources field the sync was performed against - items: - type: string - type: array - source: - description: Source is a reference to the application source - used for the sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application sources - used for the sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - deployedAt - - id - type: object - type: array - observedAt: - description: 'ObservedAt indicates when the application state was - updated without querying latest git state Deprecated: controller - no longer updates ObservedAt field' - format: date-time - type: string - operationState: - description: OperationState contains information about any ongoing - operations, such as a sync - properties: - finishedAt: - description: FinishedAt contains time of operation completion - format: date-time - type: string - message: - description: Message holds any pertinent messages when attempting - to perform operation (typically errors). - type: string - operation: - description: Operation is the original requested operation - properties: - info: - description: Info is a list of informational items for this - operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was - initiated automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who - started operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync - fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base - duration after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of - time allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for - retrying a failed sync. If set to 0, no retries will - be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply - --dry-run` without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides - sync source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from - the cluster that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall - be part of the sync - items: - description: SyncOperationResource contains resources - to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version - (Helm) which to sync the application to If omitted, - will use the revision specified in app spec. - type: string - revisions: - description: Revisions is the list of revision (Git) or - chart version (Helm) which to sync each source in sources - field for the application to If omitted, will use the - revision specified in app spec. - items: - type: string - type: array - source: - description: Source overrides the source definition set - in the application. This is typically set in a Rollback - operation and is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to - Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles do - not exist locally by not appending them to helm - template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of - Kustomize to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in - the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources overrides the source definition set - in the application. This is typically set in a Rollback - operation and is nil during a Sync operation - items: - description: ApplicationSource contains all required - information about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern - to match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern - to match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific - to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles - do not exist locally by not appending them - to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter - that's passed to helm template during manifest - generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release - name to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource - definition installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to - be passed to helm template, typically defined - as a block - type: string - version: - description: Version is the Helm version to - use for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific - options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of - additional annotations to add to rendered - manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps - type: string - version: - description: Version controls which version - of Kustomize to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the - Git repository, and is only valid for applications - sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry - in the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the - variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an - array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map - type parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a - string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source - within sources field. This field will not be used - if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision - of the source to sync the application to. In case - of Git, this can be commit, tag, or branch. If - omitted, will equal to HEAD. In case of Helm, - this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, - e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the - sync - properties: - apply: - description: Apply will perform a `kubectl apply` - to perform the sync. - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources - to perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - type: object - type: object - type: object - phase: - description: Phase is the current phase of the operation - type: string - retryCount: - description: RetryCount contains time of operation retries - format: int64 - type: integer - startedAt: - description: StartedAt contains time of operation start - format: date-time - type: string - syncResult: - description: SyncResult is the result of a Sync operation - properties: - resources: - description: Resources contains a list of sync result items - for each individual resource in a sync operation - items: - description: ResourceResult holds the operation result details - of a specific resource - properties: - group: - description: Group specifies the API group of the resource - type: string - hookPhase: - description: HookPhase contains the state of any operation - associated with this resource OR hook This can also - contain values for non-hook resources. - type: string - hookType: - description: HookType specifies the type of the hook. - Empty for non-hook resources - type: string - kind: - description: Kind specifies the API kind of the resource - type: string - message: - description: Message contains an informational or error - message for the last sync OR operation - type: string - name: - description: Name specifies the name of the resource - type: string - namespace: - description: Namespace specifies the target namespace - of the resource - type: string - status: - description: Status holds the final result of the sync. - Will be empty if the resources is yet to be applied/pruned - and is always zero-value for hooks - type: string - syncPhase: - description: SyncPhase indicates the particular phase - of the sync that this result was acquired in - type: string - version: - description: Version specifies the API version of the - resource - type: string - required: - - group - - kind - - name - - namespace - - version - type: object - type: array - revision: - description: Revision holds the revision this sync operation - was performed to - type: string - revisions: - description: Revisions holds the revision this sync operation - was performed for respective indexed source in sources field - items: - type: string - type: array - source: - description: Source records the application source information - of the sync, used for comparing auto-sync - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Source records the application source information - of the sync, used for comparing auto-sync - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - revision - type: object - required: - - operation - - phase - - startedAt - type: object - reconciledAt: - description: ReconciledAt indicates when the application state was - reconciled using the latest git version - format: date-time - type: string - resourceHealthSource: - description: 'ResourceHealthSource indicates where the resource health - status is stored: inline if not set or appTree' - type: string - resources: - description: Resources is a list of Kubernetes resources managed by - this application - items: - description: 'ResourceStatus holds the current sync and health status - of a resource TODO: describe members of this type' - properties: - group: - type: string - health: - description: HealthStatus contains information about the currently - observed health state of an application or resource - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application - or resource - type: string - type: object - hook: - type: boolean - kind: - type: string - name: - type: string - namespace: - type: string - requiresPruning: - type: boolean - status: - description: SyncStatusCode is a type which represents possible - comparison results - type: string - syncWave: - format: int64 - type: integer - version: - type: string - type: object - type: array - sourceType: - description: SourceType specifies the type of this application - type: string - sourceTypes: - description: SourceTypes specifies the type of the sources included - in the application - items: - description: ApplicationSourceType specifies the type of the application's - source - type: string - type: array - summary: - description: Summary contains a list of URLs and container images - used by this application - properties: - externalURLs: - description: ExternalURLs holds all external URLs of application - child resources. - items: - type: string - type: array - images: - description: Images holds all images of application child resources. - items: - type: string - type: array - type: object - sync: - description: Sync contains information about the application's current - sync status - properties: - comparedTo: - description: ComparedTo contains information about what has been - compared - properties: - destination: - description: Destination is a reference to the application's - destination used for comparison - properties: - name: - description: Name is an alternate way of specifying the - target cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace - for the application's resources. The namespace will - only be set for namespace-scoped resources that have - not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - source: - description: Source is a reference to the application's source - used for comparison - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application's multiple - sources used for comparison - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - destination - type: object - revision: - description: Revision contains information about the revision - the comparison has been performed to - type: string - revisions: - description: Revisions contains information about the revisions - of multiple sources the comparison has been performed to - items: - type: string - type: array - status: - description: Status is the sync state of the comparison - type: string - required: - - status - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml deleted file mode 100644 index 272bd9e056..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml +++ /dev/null @@ -1,10772 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applicationsets.argoproj.io - app.kubernetes.io/part-of: argocd - name: applicationsets.argoproj.io -spec: - group: argoproj.io - names: - kind: ApplicationSet - listKind: ApplicationSetList - plural: applicationsets - shortNames: - - appset - - appsets - singular: applicationset - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - type: object - merge: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - mergeKeys: - items: - type: string - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - - mergeKeys - type: object - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - goTemplate: - type: boolean - strategy: - properties: - rollingSync: - properties: - steps: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - maxUpdate: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - type: object - type: - type: string - type: object - syncPolicy: - properties: - preserveResourcesOnDeletion: - type: boolean - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - - template - type: object - status: - properties: - applicationStatus: - items: - properties: - application: - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - step: - type: string - required: - - application - - message - - status - - step - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - message - - reason - - status - - type - type: object - type: array - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml deleted file mode 100644 index 1ed93a159d..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml +++ /dev/null @@ -1,328 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: appprojects.argoproj.io - app.kubernetes.io/part-of: argocd - name: appprojects.argoproj.io -spec: - group: argoproj.io - names: - kind: AppProject - listKind: AppProjectList - plural: appprojects - shortNames: - - appproj - - appprojs - singular: appproject - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: 'AppProject provides a logical grouping of applications, providing - controls for: * where the apps may deploy to (cluster whitelist) * what - may be deployed (repository whitelist, resource whitelist/blacklist) * who - can access these applications (roles, OIDC group claims bindings) * and - what they can do (RBAC policies) * automation access to these roles (JWT - tokens)' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AppProjectSpec is the specification of an AppProject - properties: - clusterResourceBlacklist: - description: ClusterResourceBlacklist contains list of blacklisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - clusterResourceWhitelist: - description: ClusterResourceWhitelist contains list of whitelisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - description: - description: Description contains optional project description - type: string - destinations: - description: Destinations contains list of destinations available - for deployment - items: - description: ApplicationDestination holds information about the - application's destination - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - type: array - namespaceResourceBlacklist: - description: NamespaceResourceBlacklist contains list of blacklisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - namespaceResourceWhitelist: - description: NamespaceResourceWhitelist contains list of whitelisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - orphanedResources: - description: OrphanedResources specifies if controller should monitor - orphaned resources of apps in this project - properties: - ignore: - description: Ignore contains a list of resources that are to be - excluded from orphaned resources monitoring - items: - description: OrphanedResourceKey is a reference to a resource - to be ignored from - properties: - group: - type: string - kind: - type: string - name: - type: string - type: object - type: array - warn: - description: Warn indicates if warning condition should be created - for apps which have orphaned resources - type: boolean - type: object - permitOnlyProjectScopedClusters: - description: PermitOnlyProjectScopedClusters determines whether destinations - can only reference clusters which are project-scoped - type: boolean - roles: - description: Roles are user defined RBAC roles associated with this - project - items: - description: ProjectRole represents a role that has access to a - project - properties: - description: - description: Description is a description of the role - type: string - groups: - description: Groups are a list of OIDC group claims bound to - this role - items: - type: string - type: array - jwtTokens: - description: JWTTokens are a list of generated JWT tokens bound - to this role - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - name: - description: Name is a name for this role - type: string - policies: - description: Policies Stores a list of casbin formatted strings - that define access policies for the role in the project - items: - type: string - type: array - required: - - name - type: object - type: array - signatureKeys: - description: SignatureKeys contains a list of PGP key IDs that commits - in Git must be signed with in order to be allowed for sync - items: - description: SignatureKey is the specification of a key required - to verify commit signatures with - properties: - keyID: - description: The ID of the key in hexadecimal notation - type: string - required: - - keyID - type: object - type: array - sourceNamespaces: - description: SourceNamespaces defines the namespaces application resources - are allowed to be created in - items: - type: string - type: array - sourceRepos: - description: SourceRepos contains list of repository URLs which can - be used for deployment - items: - type: string - type: array - syncWindows: - description: SyncWindows controls when syncs can be run for apps in - this project - items: - description: SyncWindow contains the kind, time, duration and attributes - that are used to assign the syncWindows to apps - properties: - applications: - description: Applications contains a list of applications that - the window will apply to - items: - type: string - type: array - clusters: - description: Clusters contains a list of clusters that the window - will apply to - items: - type: string - type: array - duration: - description: Duration is the amount of time the sync window - will be open - type: string - kind: - description: Kind defines if the window allows or blocks syncs - type: string - manualSync: - description: ManualSync enables manual syncs when they would - otherwise be blocked - type: boolean - namespaces: - description: Namespaces contains a list of namespaces that the - window will apply to - items: - type: string - type: array - schedule: - description: Schedule is the time the window will begin, specified - in cron format - type: string - timeZone: - description: TimeZone of the sync that will be applied to the - schedule - type: string - type: object - type: array - type: object - status: - description: AppProjectStatus contains status information for AppProject - CRs - properties: - jwtTokensByRole: - additionalProperties: - description: JWTTokens represents a list of JWT tokens - properties: - items: - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - type: object - description: JWTTokensByRole contains a list of JWT tokens issued - for a given role - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml deleted file mode 100644 index c3248d4740..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml +++ /dev/null @@ -1,257 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - name: argocdexports.argoproj.io -spec: - group: argoproj.io - names: - kind: ArgoCDExport - listKind: ArgoCDExportList - plural: argocdexports - singular: argocdexport - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ArgoCDExport is the Schema for the argocdexports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ArgoCDExportSpec defines the desired state of ArgoCDExport - properties: - argocd: - description: Argocd is the name of the ArgoCD instance to export. - type: string - image: - description: Image is the container image to use for the export Job. - type: string - schedule: - description: Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. - type: string - storage: - description: Storage defines the storage configuration options. - properties: - backend: - description: Backend defines the storage backend to use, must - be "local" (the default), "aws", "azure" or "gcp". - type: string - pvc: - description: PVC is the desired characteristics for a PersistentVolumeClaim. - properties: - accessModes: - description: 'AccessModes contains the desired access modes - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: 'This field can be used to specify either: * - An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) If the provisioner - or an external controller can support the specified data - source, it will create a new volume based on the contents - of the specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field will always have the - same contents as the DataSourceRef field.' - properties: - apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - dataSourceRef: - description: 'Specifies the object from which to populate - the volume with data, if a non-empty volume is desired. - This may be any local object from a non-empty API group - (non core object) or a PersistentVolumeClaim object. When - this field is specified, volume binding will only succeed - if the type of the specified object matches some installed - volume populator or dynamic provisioner. This field will - replace the functionality of the DataSource field and as - such if both fields are non-empty, they must have the same - value. For backwards compatibility, both fields (DataSource - and DataSourceRef) will be set to the same value automatically - if one of them is empty and the other is non-empty. There - are two important differences between DataSource and DataSourceRef: - * While DataSource only allows two specific types of objects, - DataSourceRef allows any non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed values (dropping - them), DataSourceRef preserves all values, and generates - an error if a disallowed value is specified. (Alpha) Using - this field requires the AnyVolumeDataSource feature gate - to be enabled.' - properties: - apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources the - volume should have. If RecoverVolumeExpansionFailure feature - is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher - than capacity recorded in the status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - selector: - description: A label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume is required - by the claim. Value of Filesystem is implied when not included - in claim spec. - type: string - volumeName: - description: VolumeName is the binding reference to the PersistentVolume - backing this claim. - type: string - type: object - secretName: - description: SecretName is the name of a Secret with encryption - key, credentials, etc. - type: string - type: object - version: - description: Version is the tag/digest to use for the export Job container - image. - type: string - required: - - argocd - type: object - status: - description: ArgoCDExportStatus defines the observed state of ArgoCDExport - properties: - phase: - description: 'Phase is a simple, high-level summary of where the ArgoCDExport - is in its lifecycle. There are five possible phase values: Pending: - The ArgoCDExport has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: - All of the containers for the ArgoCDExport are still running, or - in the process of starting or restarting. Succeeded: All containers - for the ArgoCDExport have terminated in success, and will not be - restarted. Failed: At least one container has terminated in failure, - either exited with non-zero status or was terminated by the system. - Unknown: For some reason the state of the ArgoCDExport could not - be obtained.' - type: string - required: - - phase - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml deleted file mode 100644 index 426a186d4e..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml +++ /dev/null @@ -1,6443 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - name: argocds.argoproj.io -spec: - group: argoproj.io - names: - kind: ArgoCD - listKind: ArgoCDList - plural: argocds - singular: argocd - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ArgoCD is the Schema for the argocds API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ArgoCDSpec defines the desired state of ArgoCD - properties: - applicationInstanceLabelKey: - description: ApplicationInstanceLabelKey is the key name where Argo - CD injects the app name as a tracking label. - type: string - applicationSet: - description: ArgoCDApplicationSet defines whether the Argo CD ApplicationSet - controller should be installed. - properties: - env: - description: Env lets you specify environment for applicationSet - controller pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - extraCommandArgs: - description: ExtraCommandArgs allows users to pass command line - arguments to ApplicationSet controller. They get added to default - command line arguments provided by the operator. Please note - that the command line arguments provided as part of ExtraCommandArgs - will not overwrite the default command line arguments. - items: - type: string - type: array - image: - description: Image is the Argo CD ApplicationSet image (optional) - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the ApplicationSet controller. Defaults to ArgoCDDefaultLogLevel - if not set. Valid options are debug,info, error, and warn. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for ApplicationSet. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Argo CD ApplicationSet image tag. - (optional) - type: string - webhookServer: - description: WebhookServerSpec defines the options for the ApplicationSet - Webhook Server component. - properties: - host: - description: Host is the hostname to use for Ingress/Route - resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Application set webhook component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - apply to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress - only supports a single TLS port, 443. If multiple members - of this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified - through the SNI TLS extension, if the ingress controller - fulfilling the ingress supports SNI. - items: - description: IngressTLS describes the transport layer - security associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included - in the TLS certificate. The values in this list - must match the name/s used in the tlsSecret. Defaults - to the wildcard host setting for the loadbalancer - controller fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret - used to terminate TLS traffic on port 443. Field - is left optional to allow TLS routing based on - SNI hostname alone. If the SNI host in a listener - conflicts with the "Host" header field used by - an IngressRule, the SNI host is used for termination - and value of the Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Application set webhook component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - use for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the - Route resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the - contents of the ca certificate of the final destination. When - using reencrypt termination this file should be - provided in order to have routers use it for health - checks on the secure connection. If this field is - not specified, the router may provide its own destination - CA and perform hostname validation using the short - service name (service.namespace.svc), which allows - infrastructure generated certificates to automatically - verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to - a route. While each router may make its own decisions - on which ports to expose, this is normally port - 80. \n * Allow - traffic is sent to the server on - the insecure port (default) * Disable - no traffic - is allowed on the insecure port. * Redirect - clients - are redirected to the secure port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - type: object - type: object - banner: - description: Banner defines an additional banner to be displayed in - Argo CD UI - properties: - content: - description: Content defines the banner message content to display - type: string - url: - description: URL defines an optional URL to be used as banner - message link - type: string - required: - - content - type: object - configManagementPlugins: - description: ConfigManagementPlugins is used to specify additional - config management plugins. - type: string - controller: - description: Controller defines the Application Controller options - for ArgoCD. - properties: - appSync: - description: "AppSync is used to control the sync frequency, by - default the ArgoCD controller polls Git every 3m. \n Set this - to a duration, e.g. 10m or 600s to control the synchronisation - frequency." - type: string - env: - description: Env lets you specify environment for application - controller pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - logFormat: - description: LogFormat refers to the log format used by the Application - Controller component. Defaults to ArgoCDDefaultLogFormat if - not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel refers to the log level used by the Application - Controller component. Defaults to ArgoCDDefaultLogLevel if not - configured. Valid options are debug, info, error, and warn. - type: string - parallelismLimit: - description: ParallelismLimit defines the limit for parallel kubectl - operations - format: int32 - type: integer - processors: - description: Processors contains the options for the Application - Controller processors. - properties: - operation: - description: Operation is the number of application operation - processors. - format: int32 - type: integer - status: - description: Status is the number of application status processors. - format: int32 - type: integer - type: object - resources: - description: Resources defines the Compute Resources required - by the container for the Application Controller. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - sharding: - description: Sharding contains the options for the Application - Controller sharding configuration. - properties: - enabled: - description: Enabled defines whether sharding should be enabled - on the Application Controller component. - type: boolean - replicas: - description: Replicas defines the number of replicas to run - in the Application controller shard. - format: int32 - type: integer - type: object - type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object - disableAdmin: - description: DisableAdmin will disable the admin user. - type: boolean - extraConfig: - additionalProperties: - type: string - description: "ExtraConfig can be used to add fields to Argo CD configmap - that are not supported by Argo CD CRD. \n Note: ExtraConfig takes - precedence over Argo CD CRD. For example, A user sets `argocd.Spec.DisableAdmin` - = true and also `a.Spec.ExtraConfig[\"admin.enabled\"]` = true. - In this case, operator updates Argo CD Configmap as follows -> argocd-cm.Data[\"admin.enabled\"] - = true." - type: object - gaAnonymizeUsers: - description: GAAnonymizeUsers toggles user IDs being hashed before - sending to google analytics. - type: boolean - gaTrackingID: - description: GATrackingID is the google analytics tracking ID to use. - type: string - grafana: - description: Grafana defines the Grafana server options for ArgoCD. - properties: - enabled: - description: Enabled will toggle Grafana support globally for - ArgoCD. - type: boolean - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - image: - description: Image is the Grafana container image. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Grafana component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - resources: - description: Resources defines the Compute Resources required - by the container for Grafana. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Grafana component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - size: - description: Size is the replica count for the Grafana Deployment. - format: int32 - type: integer - version: - description: Version is the Grafana container image tag. - type: string - required: - - enabled - type: object - ha: - description: HA options for High Availability support for the Redis - component. - properties: - enabled: - description: Enabled will toggle HA support globally for Argo - CD. - type: boolean - redisProxyImage: - description: RedisProxyImage is the Redis HAProxy container image. - type: string - redisProxyVersion: - description: RedisProxyVersion is the Redis HAProxy container - image tag. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for HA. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - enabled - type: object - helpChatText: - description: HelpChatText is the text for getting chat help, defaults - to "Chat now!" - type: string - helpChatURL: - description: HelpChatURL is the URL for getting chat help, this will - typically be your Slack channel for support. - type: string - image: - description: Image is the ArgoCD container image for all ArgoCD components. - type: string - import: - description: Import is the import/restore options for ArgoCD. - properties: - name: - description: Name of an ArgoCDExport from which to import data. - type: string - namespace: - description: Namespace for the ArgoCDExport, defaults to the same - namespace as the ArgoCD. - type: string - required: - - name - type: object - initialRepositories: - description: InitialRepositories to configure Argo CD with upon creation - of the cluster. - type: string - initialSSHKnownHosts: - description: InitialSSHKnownHosts defines the SSH known hosts data - upon creation of the cluster for connecting Git repositories via - SSH. - properties: - excludedefaulthosts: - description: ExcludeDefaultHosts describes whether you would like - to include the default list of SSH Known Hosts provided by ArgoCD. - type: boolean - keys: - description: Keys describes a custom set of SSH Known Hosts that - you would like to have included in your ArgoCD server. - type: string - type: object - kustomizeBuildOptions: - description: KustomizeBuildOptions is used to specify build options/parameters - to use with `kustomize build`. - type: string - kustomizeVersions: - description: KustomizeVersions is a listing of configured versions - of Kustomize to be made available within ArgoCD. - items: - description: KustomizeVersionSpec is used to specify information - about a kustomize version to be used within ArgoCD. - properties: - path: - description: Path is the path to a configured kustomize version - on the filesystem of your repo server. - type: string - version: - description: Version is a configured kustomize version in the - format of vX.Y.Z - type: string - type: object - type: array - monitoring: - description: Monitoring defines whether workload status monitoring - configuration for this instance. - properties: - enabled: - description: Enabled defines whether workload status monitoring - is enabled for this instance or not - type: boolean - required: - - enabled - type: object - nodePlacement: - description: NodePlacement defines NodeSelectors and Taints for Argo - CD workloads - properties: - nodeSelector: - additionalProperties: - type: string - description: NodeSelector is a field of PodSpec, it is a map of - key value pairs used for node selection - type: object - tolerations: - description: Tolerations allow the pods to schedule onto nodes - with matching taints - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - notifications: - description: Notifications defines whether the Argo CD Notifications - controller should be installed. - properties: - enabled: - description: Enabled defines whether argocd-notifications controller - should be deployed or not - type: boolean - env: - description: Env let you specify environment variables for Notifications - pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - image: - description: Image is the Argo CD Notifications image (optional) - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the argocd-notifications. Defaults to ArgoCDDefaultLogLevel - if not set. Valid options are debug,info, error, and warn. - type: string - replicas: - description: Replicas defines the number of replicas to run for - notifications-controller - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for Argo CD Notifications. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Argo CD Notifications image tag. (optional) - type: string - required: - - enabled - type: object - oidcConfig: - description: OIDCConfig is the OIDC configuration as an alternative - to dex. - type: string - prometheus: - description: Prometheus defines the Prometheus server options for - ArgoCD. - properties: - enabled: - description: Enabled will toggle Prometheus support globally for - ArgoCD. - type: boolean - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Prometheus component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Prometheus component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - size: - description: Size is the replica count for the Prometheus StatefulSet. - format: int32 - type: integer - required: - - enabled - type: object - rbac: - description: RBAC defines the RBAC configuration for Argo CD. - properties: - defaultPolicy: - description: DefaultPolicy is the name of the default role which - Argo CD will falls back to, when authorizing API requests (optional). - If omitted or empty, users may be still be able to login, but - will see no apps, projects, etc... - type: string - policy: - description: 'Policy is CSV containing user-defined RBAC policies - and role definitions. Policy rules are in the form: p, subject, - resource, action, object, effect Role definitions and bindings - are in the form: g, subject, inherited-subject See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md - for additional information.' - type: string - policyMatcherMode: - description: PolicyMatcherMode configures the matchers function - mode for casbin. There are two options for this, 'glob' for - glob matcher or 'regex' for regex matcher. - type: string - scopes: - description: 'Scopes controls which OIDC scopes to examine during - rbac enforcement (in addition to `sub` scope). If omitted, defaults - to: ''[groups]''.' - type: string - type: object - redis: - description: Redis defines the Redis server options for ArgoCD. - properties: - autotls: - description: 'AutoTLS specifies the method to use for automatic - TLS configuration for the redis server The value specified here - can currently be: - openshift - Use the OpenShift service CA - to request TLS config' - type: string - disableTLSVerification: - description: DisableTLSVerification defines whether redis server - API should be accessed using strict TLS validation - type: boolean - image: - description: Image is the Redis container image. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for Redis. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Redis container image tag. - type: string - type: object - repo: - description: Repo defines the repo server options for Argo CD. - properties: - autotls: - description: 'AutoTLS specifies the method to use for automatic - TLS configuration for the repo server The value specified here - can currently be: - openshift - Use the OpenShift service CA - to request TLS config' - type: string - env: - description: Env lets you specify environment for repo server - pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - execTimeout: - description: ExecTimeout specifies the timeout in seconds for - tool execution - type: integer - extraRepoCommandArgs: - description: Extra Command arguments allows users to pass command - line arguments to repo server workload. They get added to default - command line arguments provided by the operator. Please note - that the command line arguments provided as part of ExtraRepoCommandArgs - will not overwrite the default command line arguments. - items: - type: string - type: array - image: - description: Image is the ArgoCD Repo Server container image. - type: string - initContainers: - description: InitContainers defines the list of initialization - containers for the repo server deployment - items: - description: A single application container that you want to - run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s - CMD is used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s environment. - If a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never be expanded, - regardless of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. - The docker image''s ENTRYPOINT is used if this is not - provided. Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable cannot - be resolved, the reference in the input string will be - unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported as - an event when the container is starting. When a key exists - in multiple sources, the value associated with the last - source will take precedence. Values defined by an Env - with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a - set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret must be - defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management - to default or override container images in workload controllers - like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent - otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take - in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according to - its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a - container is terminated due to an API request or management - event such as liveness/startup probe failure, preemption, - resource contention, etc. The handler is not called - if the container crashes or exits. The Pod''s termination - grace period countdown begins before the PreStop hook - is executed. Regardless of the outcome of the handler, - the container will eventually terminate within the - Pod''s termination grace period (unless delayed by - finalizers). Other management of the container blocks - until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container - will be restarted if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but is - primarily informational. Not specifying a port here DOES - NOT prevent that port from being exposed. Any port which - is listening on the default "0.0.0.0" address inside a - container will be accessible from the network. Cannot - be updated. - items: - description: ContainerPort represents a network port in - a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, 0 - < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in a - pod must have a unique name. Name for the port that - can be referred to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if the - probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields of - SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as Privileged - 2) has CAP_SYS_ADMIN Note that this field cannot be - set when spec.os.name is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this field - cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if - it does. If unset or false, no such validation will - be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the - container. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is - windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this container. - If seccomp options are provided at both the pod & - container level, the container options override the - pod options. Note that this field cannot be set when - spec.os.name is windows. - properties: - localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative to - the kubelet's configured seccomp profile location. - Must only be set if type is "Localhost". - type: string - type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n - Localhost - a profile defined in a file on the - node should be used. RuntimeDefault - the container - runtime default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options from the - PodSecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored - by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the - Pod. All of a Pod's containers must have the same - effective HostProcess value (it is not allowed - to have a mix of HostProcess containers and non-HostProcess - containers). In addition, if HostProcess is true - then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully - initialized. If specified, no other probes are executed - until this completes successfully. If this probe fails, - the Pod will be restarted, just as if the livenessProbe - failed. This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it might - take a long time to load data or warm a cache, than during - steady-state operation. This cannot be updated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer - for stdin in the container runtime. If this is not set, - reads from stdin in the container will always result in - EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is empty - until the first client attaches to stdin, and then remains - open and accepts data until the client disconnects, at - which time stdin is closed and remains closed until the - container is restarted. If this flag is false, a container - processes that reads from stdin will never receive an - EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written is - mounted into the container''s filesystem. Message written - is intended to be brief final status, such as an assertion - failure message. Will be truncated by the node if greater - than 4096 bytes. The total message length across all containers - will be limited to 12kb. Defaults to /dev/termination-log. - Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last chunk - of container log output if the termination message file - is empty and the container exited with an error. The log - output is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY - for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which the - volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and the - other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults to - "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the container's - environment. Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which might - be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - logFormat: - description: LogFormat describes the log format that should be - used by the Repo Server. Defaults to ArgoCDDefaultLogFormat - if not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the Repo Server. Defaults to ArgoCDDefaultLogLevel if not - set. Valid options are debug, info, error, and warn. - type: string - mountsatoken: - description: MountSAToken describes whether you would like to - have the Repo server mount the service account token - type: boolean - replicas: - description: Replicas defines the number of replicas for argocd-repo-server. - Value should be greater than or equal to 0. Default is nil. - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for Redis. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - serviceaccount: - description: ServiceAccount defines the ServiceAccount user that - you would like the Repo server to use - type: string - sidecarContainers: - description: SidecarContainers defines the list of sidecar containers - for the repo server deployment - items: - description: A single application container that you want to - run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s - CMD is used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s environment. - If a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never be expanded, - regardless of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. - The docker image''s ENTRYPOINT is used if this is not - provided. Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable cannot - be resolved, the reference in the input string will be - unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported as - an event when the container is starting. When a key exists - in multiple sources, the value associated with the last - source will take precedence. Values defined by an Env - with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a - set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret must be - defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management - to default or override container images in workload controllers - like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent - otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take - in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according to - its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a - container is terminated due to an API request or management - event such as liveness/startup probe failure, preemption, - resource contention, etc. The handler is not called - if the container crashes or exits. The Pod''s termination - grace period countdown begins before the PreStop hook - is executed. Regardless of the outcome of the handler, - the container will eventually terminate within the - Pod''s termination grace period (unless delayed by - finalizers). Other management of the container blocks - until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container - will be restarted if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but is - primarily informational. Not specifying a port here DOES - NOT prevent that port from being exposed. Any port which - is listening on the default "0.0.0.0" address inside a - container will be accessible from the network. Cannot - be updated. - items: - description: ContainerPort represents a network port in - a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, 0 - < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in a - pod must have a unique name. Name for the port that - can be referred to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if the - probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields of - SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as Privileged - 2) has CAP_SYS_ADMIN Note that this field cannot be - set when spec.os.name is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this field - cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if - it does. If unset or false, no such validation will - be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the - container. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is - windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this container. - If seccomp options are provided at both the pod & - container level, the container options override the - pod options. Note that this field cannot be set when - spec.os.name is windows. - properties: - localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative to - the kubelet's configured seccomp profile location. - Must only be set if type is "Localhost". - type: string - type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n - Localhost - a profile defined in a file on the - node should be used. RuntimeDefault - the container - runtime default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options from the - PodSecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored - by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the - Pod. All of a Pod's containers must have the same - effective HostProcess value (it is not allowed - to have a mix of HostProcess containers and non-HostProcess - containers). In addition, if HostProcess is true - then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully - initialized. If specified, no other probes are executed - until this completes successfully. If this probe fails, - the Pod will be restarted, just as if the livenessProbe - failed. This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it might - take a long time to load data or warm a cache, than during - steady-state operation. This cannot be updated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer - for stdin in the container runtime. If this is not set, - reads from stdin in the container will always result in - EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is empty - until the first client attaches to stdin, and then remains - open and accepts data until the client disconnects, at - which time stdin is closed and remains closed until the - container is restarted. If this flag is false, a container - processes that reads from stdin will never receive an - EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written is - mounted into the container''s filesystem. Message written - is intended to be brief final status, such as an assertion - failure message. Will be truncated by the node if greater - than 4096 bytes. The total message length across all containers - will be limited to 12kb. Defaults to /dev/termination-log. - Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last chunk - of container log output if the termination message file - is empty and the container exited with an error. The log - output is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY - for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which the - volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and the - other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults to - "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the container's - environment. Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which might - be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - verifytls: - description: VerifyTLS defines whether repo server API should - be accessed using strict TLS validation - type: boolean - version: - description: Version is the ArgoCD Repo Server container image - tag. - type: string - volumeMounts: - description: VolumeMounts adds volumeMounts to the repo server - container - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: Volumes adds volumes to the repo server deployment - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify - the partition as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the property - empty).' - format: int32 - type: integer - readOnly: - description: 'Specify "true" to force and set the ReadOnly - property in VolumeMounts to "true". If omitted, the - default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: boolean - volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: string - required: - - volumeID - type: object - azureDisk: - description: AzureDisk represents an Azure Data Disk mount - on the host and bind mount to the pod. - properties: - cachingMode: - description: 'Host Caching mode: None, Read Only, Read - Write.' - type: string - diskName: - description: The Name of the data disk in the blob storage - type: string - diskURI: - description: The URI the data disk in the blob storage - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: the name of secret that contains Azure - Storage Account Name and Key - type: string - shareName: - description: Share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: CephFS represents a Ceph FS mount on the host - that shares a pod's lifetime - properties: - monitors: - description: 'Required: Monitors is a collection of - Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - items: - type: string - type: array - path: - description: 'Optional: Used as the mounted root, rather - than the full Ceph tree, default is /' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: boolean - secretFile: - description: 'Optional: SecretFile is the path to key - ring for User, default is /etc/ceph/user.secret More - info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - secretRef: - description: 'Optional: SecretRef is reference to the - authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - required: - - monitors - type: object - cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: boolean - secretRef: - description: 'Optional: points to a secret object containing - parameters used to connect to OpenStack.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - required: - - volumeID - type: object - configMap: - description: ConfigMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. Defaults - to 0644. Directories within the path are not affected - by this setting. This might be in conflict with other - options that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced ConfigMap will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the ConfigMap, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set - permissions on this file. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys - must be defined - type: boolean - type: object - csi: - description: CSI (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: Driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. - type: string - fsType: - description: Filesystem type to mount. Ex. "ext4", "xfs", - "ntfs". If not provided, the empty value is passed - to the associated CSI driver which will determine - the default filesystem to apply. - type: string - nodePublishSecretRef: - description: NodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - readOnly: - description: Specifies a read-only configuration for - the volume. Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: DownwardAPI represents downward API about the - pod that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name and namespace - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must not - be absolute or contain the ''..'' path. Must - be utf-8 encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - properties: - medium: - description: 'What type of storage medium should back - this directory. The default is "" which means to use - the node''s default medium. Must be an empty string - (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also applicable - for memory medium. The maximum usage on memory medium - EmptyDir would be the minimum value between the SizeLimit - specified here and the sum of memory limits of all - containers in a pod. The default is nil which means - that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: "Ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - \ a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between this - volume type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." - properties: - volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." - properties: - metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. - type: object - spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. - properties: - accessModes: - description: 'AccessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: 'This field can be used to specify - either: * An existing VolumeSnapshot object - (snapshot.storage.k8s.io/VolumeSnapshot) * - An existing PVC (PersistentVolumeClaim) If - the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field will always - have the same contents as the DataSourceRef - field.' - properties: - apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - dataSourceRef: - description: 'Specifies the object from which - to populate the volume with data, if a non-empty - volume is desired. This may be any local object - from a non-empty API group (non core object) - or a PersistentVolumeClaim object. When this - field is specified, volume binding will only - succeed if the type of the specified object - matches some installed volume populator or - dynamic provisioner. This field will replace - the functionality of the DataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, both fields (DataSource and - DataSourceRef) will be set to the same value - automatically if one of them is empty and - the other is non-empty. There are two important - differences between DataSource and DataSourceRef: - * While DataSource only allows two specific - types of objects, DataSourceRef allows any - non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error if a disallowed - value is specified. (Alpha) Using this field - requires the AnyVolumeDataSource feature gate - to be enabled.' - properties: - apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. - type: string - volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: FC represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. TODO: how do we prevent errors in the - filesystem from compromising the machine' - type: string - lun: - description: 'Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - targetWWNs: - description: 'Optional: FC target worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' - items: - type: string - type: array - type: object - flexVolume: - description: FlexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. - properties: - driver: - description: Driver is the name of the driver to use - for this volume. - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". The default filesystem depends on FlexVolume - script. - type: string - options: - additionalProperties: - type: string - description: 'Optional: Extra command options if any.' - type: object - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - secretRef: - description: 'Optional: SecretRef is reference to the - secret object containing sensitive information to - pass to the plugin scripts. This may be empty if no - secret object is specified. If the secret object contains - more than one secret, all secrets are passed to the - plugin scripts.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - required: - - driver - type: object - flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated - type: string - datasetUUID: - description: UUID of the dataset. This is unique identifier - of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify - the partition as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the property - empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - format: int32 - type: integer - pdName: - description: 'Unique name of the PD resource in GCE. - Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: boolean - required: - - pdName - type: object - gitRepo: - description: 'GitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' - properties: - directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. - type: string - repository: - description: Repository URL - type: string - revision: - description: Commit hash for the specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: 'Glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' - properties: - endpoints: - description: 'EndpointsName is the endpoint name that - details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - path: - description: 'Path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: 'HostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' - properties: - path: - description: 'Path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - type: - description: 'Type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - required: - - path - type: object - iscsi: - description: 'ISCSI represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' - properties: - chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: whether support iSCSI Session CHAP authentication - type: boolean - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, new - iSCSI interface : will - be created for the connection. - type: string - iqn: - description: Target iSCSI Qualified Name. - type: string - iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). - type: string - lun: - description: iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: iSCSI Target Portal List. The portal is - either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: ReadOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. - type: boolean - secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - targetPortal: - description: iSCSI Target Portal. The Portal is either - an IP or ip_addr:port if the port is other than default - (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique - within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - nfs: - description: 'NFS represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - properties: - path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: boolean - server: - description: 'Server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - type: string - readOnly: - description: Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - pdID: - description: ID that identifies Photon Controller persistent - disk - type: string - required: - - pdID - type: object - portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: FSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: VolumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: Items for all in one resources secrets, configmaps, - and downward API - properties: - defaultMode: - description: Mode bits used to set permissions on created - files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires - decimal values for mode bits. Directories within the - path are not affected by this setting. This might - be in conflict with other options that affect the - file mode, like fsGroup, and the result can be other - mode bits set. - format: int32 - type: integer - sources: - description: list of volume projections - items: - description: Projection that may be projected along - with other supported volume types - properties: - configMap: - description: information about the configMap data - to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - downwardAPI: - description: information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute or - contain the ''..'' path. Must be utf-8 - encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env - vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - secret: - description: information about the secret data - to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - type: object - serviceAccountToken: - description: information about the serviceAccountToken - data to project - properties: - audience: - description: Audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. - format: int64 - type: integer - path: - description: Path is the path relative to - the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: Quobyte represents a Quobyte mount on the host - that shares a pod's lifetime - properties: - group: - description: Group to map volume access to Default is - no group - type: string - readOnly: - description: ReadOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. - type: boolean - registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes - type: string - tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin - type: string - user: - description: User to map volume access to Defaults to - serivceaccount user - type: string - volume: - description: Volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - keyring: - description: 'Keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - monitors: - description: 'A collection of Ceph monitors. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - items: - type: string - type: array - pool: - description: 'The rados pool name. Default is rbd. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: boolean - secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - required: - - image - - monitors - type: object - scaleIO: - description: ScaleIO represents a ScaleIO persistent volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Default is "xfs". - type: string - gateway: - description: The host address of the ScaleIO API Gateway. - type: string - protectionDomain: - description: The name of the ScaleIO Protection Domain - for the configured storage. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - description: Indicates whether the storage for a volume - should be ThickProvisioned or ThinProvisioned. Default - is ThinProvisioned. - type: string - storagePool: - description: The ScaleIO Storage Pool associated with - the protection domain. - type: string - system: - description: The name of the storage system as configured - in ScaleIO. - type: string - volumeName: - description: The name of a volume already created in - the ScaleIO system that is associated with this volume - source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: 'Secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. Defaults - to 0644. Directories within the path are not affected - by this setting. This might be in conflict with other - options that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced Secret will be projected - into the volume as a file whose name is the key and - content is the value. If specified, the listed keys - will be projected into the specified paths, and unlisted - keys will not be present. If a key is specified which - is not present in the Secret, the volume setup will - error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start - with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set - permissions on this file. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: Specify whether the Secret or its keys - must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - type: object - storageos: - description: StorageOS represents a StorageOS volume attached - and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeName: - description: VolumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. - type: string - volumeNamespace: - description: VolumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. - type: string - type: object - vsphereVolume: - description: VsphereVolume represents a vSphere volume attached - and mounted on kubelets host machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. - type: string - volumePath: - description: Path that identifies vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - repositoryCredentials: - description: RepositoryCredentials are the Git pull credentials to - configure Argo CD with upon creation of the cluster. - type: string - resourceActions: - description: ResourceActions customizes resource action behavior. - items: - description: Resource Customization for custom action - properties: - action: - type: string - group: - type: string - kind: - type: string - type: object - type: array - resourceCustomizations: - description: 'ResourceCustomizations customizes resource behavior. - Keys are in the form: group/Kind. Please note that this is being - deprecated in favor of ResourceHealthChecks, ResourceIgnoreDifferences, - and ResourceActions.' - type: string - resourceExclusions: - description: ResourceExclusions is used to completely ignore entire - classes of resource group/kinds. - type: string - resourceHealthChecks: - description: ResourceHealthChecks customizes resource health check - behavior. - items: - description: Resource Customization for custom health check - properties: - check: - type: string - group: - type: string - kind: - type: string - type: object - type: array - resourceIgnoreDifferences: - description: ResourceIgnoreDifferences customizes resource ignore - difference behavior. - properties: - all: - properties: - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - managedFieldsManagers: - items: - type: string - type: array - type: object - resourceIdentifiers: - items: - description: Resource Customization fields for ignore difference - properties: - customization: - properties: - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - managedFieldsManagers: - items: - type: string - type: array - type: object - group: - type: string - kind: - type: string - type: object - type: array - type: object - resourceInclusions: - description: ResourceInclusions is used to only include specific group/kinds - in the reconciliation process. - type: string - resourceTrackingMethod: - description: ResourceTrackingMethod defines how Argo CD should track - resources that it manages - type: string - server: - description: Server defines the options for the ArgoCD Server component. - properties: - autoscale: - description: Autoscale defines the autoscale options for the Argo - CD Server component. - properties: - enabled: - description: Enabled will toggle autoscaling support for the - Argo CD Server component. - type: boolean - hpa: - description: HPA defines the HorizontalPodAutoscaler options - for the Argo CD Server component. - properties: - maxReplicas: - description: upper limit for the number of pods that can - be set by the autoscaler; cannot be smaller than MinReplicas. - format: int32 - type: integer - minReplicas: - description: minReplicas is the lower limit for the number - of replicas to which the autoscaler can scale down. It - defaults to 1 pod. minReplicas is allowed to be 0 if - the alpha feature gate HPAScaleToZero is enabled and - at least one Object or External metric is configured. Scaling - is active as long as at least one metric value is available. - format: int32 - type: integer - scaleTargetRef: - description: reference to scaled resource; horizontal - pod autoscaler will learn the current resource consumption - and will set the desired number of pods by using its - Scale subresource. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' - type: string - name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - required: - - kind - - name - type: object - targetCPUUtilizationPercentage: - description: target average CPU utilization (represented - as a percentage of requested CPU) over all the pods; - if not specified the default autoscaling policy will - be used. - format: int32 - type: integer - required: - - maxReplicas - - scaleTargetRef - type: object - required: - - enabled - type: object - env: - description: Env lets you specify environment for API server pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - extraCommandArgs: - description: Extra Command arguments that would append to the - Argo CD server command. ExtraCommandArgs will not be added, - if one of these commands is already part of the server command - with same or different value. - items: - type: string - type: array - grpc: - description: GRPC defines the state for the Argo CD Server GRPC - options. - properties: - host: - description: Host is the hostname to use for Ingress/Route - resources. - type: string - ingress: - description: Ingress defines the desired state for the Argo - CD Server GRPC Ingress. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - apply to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress - only supports a single TLS port, 443. If multiple members - of this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified - through the SNI TLS extension, if the ingress controller - fulfilling the ingress supports SNI. - items: - description: IngressTLS describes the transport layer - security associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included - in the TLS certificate. The values in this list - must match the name/s used in the tlsSecret. Defaults - to the wildcard host setting for the loadbalancer - controller fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret - used to terminate TLS traffic on port 443. Field - is left optional to allow TLS routing based on - SNI hostname alone. If the SNI host in a listener - conflicts with the "Host" header field used by - an IngressRule, the SNI host is used for termination - and value of the Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - type: object - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Argo CD Server component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - insecure: - description: Insecure toggles the insecure flag. - type: boolean - logFormat: - description: LogFormat refers to the log level to be used by the - ArgoCD Server component. Defaults to ArgoCDDefaultLogFormat - if not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel refers to the log level to be used by the - ArgoCD Server component. Defaults to ArgoCDDefaultLogLevel if - not set. Valid options are debug, info, error, and warn. - type: string - replicas: - description: Replicas defines the number of replicas for argocd-server. - Default is nil. Value should be greater than or equal to 0. - Value will be ignored if Autoscaler is enabled. - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for the Argo CD server component. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Argo CD Server component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - service: - description: Service defines the options for the Service backing - the ArgoCD Server component. - properties: - type: - description: Type is the ServiceType to use for the Service - resource. - type: string - required: - - type - type: object - type: object - sourceNamespaces: - description: SourceNamespaces defines the namespaces application resources - are allowed to be created in - items: - type: string - type: array - sso: - description: SSO defines the Single Sign-on configuration for Argo - CD - properties: - dex: - description: Dex contains the configuration for Argo CD dex authentication - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must - be a member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object - image: - description: Image is the SSO container image. - type: string - keycloak: - description: Keycloak contains the configuration for Argo CD keycloak - authentication - properties: - image: - description: Image is the Keycloak container image. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for Keycloak. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - rootCA: - description: Custom root CA certificate for communicating - with the Keycloak OIDC provider - type: string - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the Keycloak container image tag. - type: string - type: object - provider: - description: Provider installs and configures the given SSO Provider - with Argo CD. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string - type: object - statusBadgeEnabled: - description: StatusBadgeEnabled toggles application status badge feature. - type: boolean - tls: - description: TLS defines the TLS options for ArgoCD. - properties: - ca: - description: CA defines the CA options. - properties: - configMapName: - description: ConfigMapName is the name of the ConfigMap containing - the CA Certificate. - type: string - secretName: - description: SecretName is the name of the Secret containing - the CA Certificate and Key. - type: string - type: object - initialCerts: - additionalProperties: - type: string - description: InitialCerts defines custom TLS certificates upon - creation of the cluster for connecting Git repositories via - HTTPS. - type: object - type: object - usersAnonymousEnabled: - description: UsersAnonymousEnabled toggles anonymous user access. - The anonymous users get default role permissions specified argocd-rbac-cm. - type: boolean - version: - description: Version is the tag to use with the ArgoCD container image - for all ArgoCD components. - type: string - type: object - status: - description: ArgoCDStatus defines the observed state of ArgoCD - properties: - applicationController: - description: 'ApplicationController is a simple, high-level summary - of where the Argo CD application controller component is in its - lifecycle. There are four possible ApplicationController values: - Pending: The Argo CD application controller component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD application controller component are in a Ready state. Failed: - At least one of the Argo CD application controller component Pods - had a failure. Unknown: The state of the Argo CD application controller - component could not be obtained.' - type: string - applicationSetController: - description: 'ApplicationSetController is a simple, high-level summary - of where the Argo CD applicationSet controller component is in its - lifecycle. There are four possible ApplicationSetController values: - Pending: The Argo CD applicationSet controller component has been - accepted by the Kubernetes system, but one or more of the required - resources have not been created. Running: All of the required Pods - for the Argo CD applicationSet controller component are in a Ready - state. Failed: At least one of the Argo CD applicationSet controller - component Pods had a failure. Unknown: The state of the Argo CD - applicationSet controller component could not be obtained.' - type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string - host: - description: Host is the hostname of the Ingress. - type: string - notificationsController: - description: 'NotificationsController is a simple, high-level summary - of where the Argo CD notifications controller component is in its - lifecycle. There are four possible NotificationsController values: - Pending: The Argo CD notifications controller component has been - accepted by the Kubernetes system, but one or more of the required - resources have not been created. Running: All of the required Pods - for the Argo CD notifications controller component are in a Ready - state. Failed: At least one of the Argo CD notifications controller - component Pods had a failure. Unknown: The state of the Argo CD - notifications controller component could not be obtained.' - type: string - phase: - description: 'Phase is a simple, high-level summary of where the ArgoCD - is in its lifecycle. There are four possible phase values: Pending: - The ArgoCD has been accepted by the Kubernetes system, but one or - more of the required resources have not been created. Available: - All of the resources for the ArgoCD are ready. Failed: At least - one resource has experienced a failure. Unknown: The state of the - ArgoCD phase could not be obtained.' - type: string - redis: - description: 'Redis is a simple, high-level summary of where the Argo - CD Redis component is in its lifecycle. There are four possible - redis values: Pending: The Argo CD Redis component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Redis component are in a Ready state. Failed: At least one - of the Argo CD Redis component Pods had a failure. Unknown: The - state of the Argo CD Redis component could not be obtained.' - type: string - redisTLSChecksum: - description: RedisTLSChecksum contains the SHA256 checksum of the - latest known state of tls.crt and tls.key in the argocd-operator-redis-tls - secret. - type: string - repo: - description: 'Repo is a simple, high-level summary of where the Argo - CD Repo component is in its lifecycle. There are four possible repo - values: Pending: The Argo CD Repo component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Repo component are in a Ready state. Failed: At least one - of the Argo CD Repo component Pods had a failure. Unknown: The - state of the Argo CD Repo component could not be obtained.' - type: string - repoTLSChecksum: - description: RepoTLSChecksum contains the SHA256 checksum of the latest - known state of tls.crt and tls.key in the argocd-repo-server-tls - secret. - type: string - server: - description: 'Server is a simple, high-level summary of where the - Argo CD server component is in its lifecycle. There are four possible - server values: Pending: The Argo CD server component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD server component are in a Ready state. Failed: At least - one of the Argo CD server component Pods had a failure. Unknown: - The state of the Argo CD server component could not be obtained.' - type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/09_deployment_argocd-operator-controller-manager.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/09_deployment_argocd-operator-controller-manager.yaml deleted file mode 100644 index f07080f3f3..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/09_deployment_argocd-operator-controller-manager.yaml +++ /dev/null @@ -1,204 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-operator-controller-manager - namespace: argocd-system -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - control-plane: controller-manager - strategy: {} - template: - metadata: - annotations: - alm-examples: |- - [ - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "AppProject", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "Application", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ApplicationSet", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ArgoCD", - "metadata": { - "name": "argocd-sample" - }, - "spec": { - "controller": { - "resources": { - "limits": { - "cpu": "2000m", - "memory": "2048Mi" - }, - "requests": { - "cpu": "250m", - "memory": "1024Mi" - } - } - }, - "ha": { - "enabled": false, - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "redis": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "repo": { - "resources": { - "limits": { - "cpu": "1000m", - "memory": "512Mi" - }, - "requests": { - "cpu": "250m", - "memory": "256Mi" - } - } - }, - "server": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "125m", - "memory": "128Mi" - } - }, - "route": { - "enabled": true - } - }, - "sso": { - "dex": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "provider": "dex" - } - } - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ArgoCDExport", - "metadata": { - "name": "argocdexport-sample" - }, - "spec": { - "argocd": "argocd-sample" - } - } - ] - capabilities: Deep Insights - categories: Integration & Delivery - certified: "false" - containerImage: quay.io/argoprojlabs/argocd-operator@sha256:99aeec24cc406d06d18822347d9ac3ed053a702d8419191e4e681075fed7b9bb - description: Argo CD is a declarative, GitOps continuous delivery tool for - Kubernetes. - olm.targetNamespaces: argocd-system - operators.operatorframework.io/builder: operator-sdk-v1.10.0+git - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 - repository: https://github.com/argoproj-labs/argocd-operator - support: Argo CD - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: {} - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.annotations['olm.targetNamespaces'] - image: quay.io/argoprojlabs/argocd-operator@sha256:99aeec24cc406d06d18822347d9ac3ed053a702d8419191e4e681075fed7b9bb - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - securityContext: - runAsNonRoot: true - serviceAccountName: argocd-operator-controller-manager - terminationGracePeriodSeconds: 10 -status: {} diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml deleted file mode 100644 index fd60a6dc8c..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - namespace: argocd-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml deleted file mode 100644 index c3a6e24e8a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - namespace: argocd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 -subjects: -- kind: ServiceAccount - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml deleted file mode 100644 index e69c19f45a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - control-plane: controller-manager - name: argocd-operator-controller-manager-metrics-service - namespace: argocd-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager -status: - loadBalancer: {} diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml deleted file mode 100644 index 8e5212c47c..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml deleted file mode 100644 index 19a68a5707..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: argocd-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml deleted file mode 100644 index d90e1d44b5..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - persistentvolumeclaims - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - argocd-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - argocdexports - - argocdexports/finalizers - - argocdexports/status - verbs: - - '*' -- apiGroups: - - argoproj.io - resources: - - argocds - - argocds/finalizers - - argocds/status - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - '*' -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - prometheuses - - servicemonitors - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - '*' -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - template.openshift.io - resources: - - templateconfigs - - templateinstances - - templates - verbs: - - '*' -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml deleted file mode 100644 index e1752b965a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx -subjects: -- kind: ServiceAccount - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/03_configmap_argocd-operator-manager-config.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/03_configmap_argocd-operator-manager-config.yaml deleted file mode 100644 index 98d1f72c07..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/03_configmap_argocd-operator-manager-config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: b674928d.argoproj.io -kind: ConfigMap -metadata: - name: argocd-operator-manager-config - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/04_customresourcedefinition_applications.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/04_customresourcedefinition_applications.argoproj.io.yaml deleted file mode 100644 index b1f398ec1b..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/04_customresourcedefinition_applications.argoproj.io.yaml +++ /dev/null @@ -1,4018 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applications.argoproj.io - app.kubernetes.io/part-of: argocd - name: applications.argoproj.io -spec: - group: argoproj.io - names: - kind: Application - listKind: ApplicationList - plural: applications - shortNames: - - app - - apps - singular: application - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.sync.status - name: Sync Status - type: string - - jsonPath: .status.health.status - name: Health Status - type: string - - jsonPath: .status.sync.revision - name: Revision - priority: 10 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Application is a definition of Application resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - operation: - description: Operation contains information about a requested or running - operation - properties: - info: - description: Info is a list of informational items for this operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who started - operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent retries - of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default unit - is seconds, but could also be a duration (e.g. "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply --dry-run` - without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides sync - source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from the cluster - that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall be part - of the sync - items: - description: SyncOperationResource contains resources to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version (Helm) - which to sync the application to If omitted, will use the revision - specified in app spec. - type: string - revisions: - description: Revisions is the list of revision (Git) or chart - version (Helm) which to sync each source in sources field for - the application to If omitted, will use the revision specified - in app spec. - items: - type: string - type: array - source: - description: Source overrides the source definition set in the - application. This is typically set in a Rollback operation and - is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by - not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources for - Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be - commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources overrides the source definition set in the - application. This is typically set in a Rollback operation and - is nil during a Sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply will perform a `kubectl apply` to perform - the sync. - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources to - perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - spec: - description: ApplicationSpec represents desired application state. Contains - link to repository with application definition and additional parameters - link definition revision. - properties: - destination: - description: Destination is a reference to the target Kubernetes server - and namespace - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences is a list of resources and their fields - which should be ignored during comparison - items: - description: ResourceIgnoreDifferences contains resource filter - and list of json paths which should be ignored during comparison - with live state. - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - description: ManagedFieldsManagers is a list of trusted managers. - Fields mutated by those managers will take precedence over - the desired state defined in the SCM and won't be displayed - in diffs - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - description: Info contains a list of information (URLs, email addresses, - and plain text) that relates to the application - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - description: Project is a reference to the project this application - belongs to. The empty string means that application belongs to the - 'default' project. - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit limits the number of items kept - in the application's revision history, which is used for informational - purposes as well as for rollbacks to previous versions. This should - only be changed in exceptional circumstances. Setting to zero will - store no history. This will reduce storage used. Increasing will - increase the space used to store the history, so we do not recommend - increasing it. Default is 10. - format: int64 - type: integer - source: - description: Source is a reference to the location of the application's - manifests or chart - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being used - during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels to - add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to force - applying common annotations to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize to - use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be commit, - tag, or branch. If omitted, will equal to HEAD. In case of Helm, - this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the location of the application's - manifests or chart - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being - used during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to - force applying common annotations to resources for Kustomize - apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be commit, - tag, or branch. If omitted, will equal to HEAD. In case of - Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - description: SyncPolicy controls when and how a sync will be performed - properties: - automated: - description: Automated will keep an application synced to the - target revision - properties: - allowEmpty: - description: 'AllowEmpty allows apps have zero live resources - (default: false)' - type: boolean - prune: - description: 'Prune specifies whether to delete resources - from the cluster that are not found in the sources anymore - as part of automated sync (default: false)' - type: boolean - selfHeal: - description: 'SelfHeal specifes whether to revert resources - back to their desired state upon modification in the cluster - (default: false)' - type: boolean - type: object - managedNamespaceMetadata: - description: ManagedNamespaceMetadata controls metadata in the - given namespace (if CreateNamespace=true) - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time - allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - syncOptions: - description: Options allow you to specify whole app sync-options - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - status: - description: ApplicationStatus contains status information for the application - properties: - conditions: - description: Conditions is a list of currently observed application - conditions - items: - description: ApplicationCondition contains details about an application - condition, which is usally an error or warning - properties: - lastTransitionTime: - description: LastTransitionTime is the time the condition was - last observed - format: date-time - type: string - message: - description: Message contains human-readable message indicating - details about condition - type: string - type: - description: Type is an application condition type - type: string - required: - - message - - type - type: object - type: array - health: - description: Health contains information about the application's current - health status - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application or - resource - type: string - type: object - history: - description: History contains information about the application's - sync history - items: - description: RevisionHistory contains history information about - a previous sync - properties: - deployStartedAt: - description: DeployStartedAt holds the time the sync operation - started - format: date-time - type: string - deployedAt: - description: DeployedAt holds the time the sync operation completed - format: date-time - type: string - id: - description: ID is an auto incrementing identifier of the RevisionHistory - format: int64 - type: integer - revision: - description: Revision holds the revision the sync was performed - against - type: string - revisions: - description: Revisions holds the revision of each source in - sources field the sync was performed against - items: - type: string - type: array - source: - description: Source is a reference to the application source - used for the sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application sources - used for the sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - deployedAt - - id - type: object - type: array - observedAt: - description: 'ObservedAt indicates when the application state was - updated without querying latest git state Deprecated: controller - no longer updates ObservedAt field' - format: date-time - type: string - operationState: - description: OperationState contains information about any ongoing - operations, such as a sync - properties: - finishedAt: - description: FinishedAt contains time of operation completion - format: date-time - type: string - message: - description: Message holds any pertinent messages when attempting - to perform operation (typically errors). - type: string - operation: - description: Operation is the original requested operation - properties: - info: - description: Info is a list of informational items for this - operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was - initiated automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who - started operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync - fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base - duration after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of - time allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for - retrying a failed sync. If set to 0, no retries will - be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply - --dry-run` without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides - sync source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from - the cluster that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall - be part of the sync - items: - description: SyncOperationResource contains resources - to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version - (Helm) which to sync the application to If omitted, - will use the revision specified in app spec. - type: string - revisions: - description: Revisions is the list of revision (Git) or - chart version (Helm) which to sync each source in sources - field for the application to If omitted, will use the - revision specified in app spec. - items: - type: string - type: array - source: - description: Source overrides the source definition set - in the application. This is typically set in a Rollback - operation and is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to - Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles do - not exist locally by not appending them to helm - template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of - Kustomize to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in - the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources overrides the source definition set - in the application. This is typically set in a Rollback - operation and is nil during a Sync operation - items: - description: ApplicationSource contains all required - information about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern - to match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern - to match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific - to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles - do not exist locally by not appending them - to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter - that's passed to helm template during manifest - generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release - name to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource - definition installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to - be passed to helm template, typically defined - as a block - type: string - version: - description: Version is the Helm version to - use for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific - options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of - additional annotations to add to rendered - manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps - type: string - version: - description: Version controls which version - of Kustomize to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the - Git repository, and is only valid for applications - sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry - in the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the - variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an - array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map - type parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a - string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source - within sources field. This field will not be used - if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision - of the source to sync the application to. In case - of Git, this can be commit, tag, or branch. If - omitted, will equal to HEAD. In case of Helm, - this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, - e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the - sync - properties: - apply: - description: Apply will perform a `kubectl apply` - to perform the sync. - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources - to perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - type: object - type: object - type: object - phase: - description: Phase is the current phase of the operation - type: string - retryCount: - description: RetryCount contains time of operation retries - format: int64 - type: integer - startedAt: - description: StartedAt contains time of operation start - format: date-time - type: string - syncResult: - description: SyncResult is the result of a Sync operation - properties: - resources: - description: Resources contains a list of sync result items - for each individual resource in a sync operation - items: - description: ResourceResult holds the operation result details - of a specific resource - properties: - group: - description: Group specifies the API group of the resource - type: string - hookPhase: - description: HookPhase contains the state of any operation - associated with this resource OR hook This can also - contain values for non-hook resources. - type: string - hookType: - description: HookType specifies the type of the hook. - Empty for non-hook resources - type: string - kind: - description: Kind specifies the API kind of the resource - type: string - message: - description: Message contains an informational or error - message for the last sync OR operation - type: string - name: - description: Name specifies the name of the resource - type: string - namespace: - description: Namespace specifies the target namespace - of the resource - type: string - status: - description: Status holds the final result of the sync. - Will be empty if the resources is yet to be applied/pruned - and is always zero-value for hooks - type: string - syncPhase: - description: SyncPhase indicates the particular phase - of the sync that this result was acquired in - type: string - version: - description: Version specifies the API version of the - resource - type: string - required: - - group - - kind - - name - - namespace - - version - type: object - type: array - revision: - description: Revision holds the revision this sync operation - was performed to - type: string - revisions: - description: Revisions holds the revision this sync operation - was performed for respective indexed source in sources field - items: - type: string - type: array - source: - description: Source records the application source information - of the sync, used for comparing auto-sync - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Source records the application source information - of the sync, used for comparing auto-sync - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - revision - type: object - required: - - operation - - phase - - startedAt - type: object - reconciledAt: - description: ReconciledAt indicates when the application state was - reconciled using the latest git version - format: date-time - type: string - resourceHealthSource: - description: 'ResourceHealthSource indicates where the resource health - status is stored: inline if not set or appTree' - type: string - resources: - description: Resources is a list of Kubernetes resources managed by - this application - items: - description: 'ResourceStatus holds the current sync and health status - of a resource TODO: describe members of this type' - properties: - group: - type: string - health: - description: HealthStatus contains information about the currently - observed health state of an application or resource - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application - or resource - type: string - type: object - hook: - type: boolean - kind: - type: string - name: - type: string - namespace: - type: string - requiresPruning: - type: boolean - status: - description: SyncStatusCode is a type which represents possible - comparison results - type: string - syncWave: - format: int64 - type: integer - version: - type: string - type: object - type: array - sourceType: - description: SourceType specifies the type of this application - type: string - sourceTypes: - description: SourceTypes specifies the type of the sources included - in the application - items: - description: ApplicationSourceType specifies the type of the application's - source - type: string - type: array - summary: - description: Summary contains a list of URLs and container images - used by this application - properties: - externalURLs: - description: ExternalURLs holds all external URLs of application - child resources. - items: - type: string - type: array - images: - description: Images holds all images of application child resources. - items: - type: string - type: array - type: object - sync: - description: Sync contains information about the application's current - sync status - properties: - comparedTo: - description: ComparedTo contains information about what has been - compared - properties: - destination: - description: Destination is a reference to the application's - destination used for comparison - properties: - name: - description: Name is an alternate way of specifying the - target cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace - for the application's resources. The namespace will - only be set for namespace-scoped resources that have - not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - source: - description: Source is a reference to the application's source - used for comparison - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application's multiple - sources used for comparison - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - destination - type: object - revision: - description: Revision contains information about the revision - the comparison has been performed to - type: string - revisions: - description: Revisions contains information about the revisions - of multiple sources the comparison has been performed to - items: - type: string - type: array - status: - description: Status is the sync state of the comparison - type: string - required: - - status - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml deleted file mode 100644 index 272bd9e056..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/05_customresourcedefinition_applicationsets.argoproj.io.yaml +++ /dev/null @@ -1,10772 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applicationsets.argoproj.io - app.kubernetes.io/part-of: argocd - name: applicationsets.argoproj.io -spec: - group: argoproj.io - names: - kind: ApplicationSet - listKind: ApplicationSetList - plural: applicationsets - shortNames: - - appset - - appsets - singular: applicationset - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - type: object - merge: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - mergeKeys: - items: - type: string - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - - mergeKeys - type: object - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - goTemplate: - type: boolean - strategy: - properties: - rollingSync: - properties: - steps: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - maxUpdate: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - type: object - type: - type: string - type: object - syncPolicy: - properties: - preserveResourcesOnDeletion: - type: boolean - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - - template - type: object - status: - properties: - applicationStatus: - items: - properties: - application: - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - step: - type: string - required: - - application - - message - - status - - step - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - message - - reason - - status - - type - type: object - type: array - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml deleted file mode 100644 index 1ed93a159d..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/06_customresourcedefinition_appprojects.argoproj.io.yaml +++ /dev/null @@ -1,328 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: appprojects.argoproj.io - app.kubernetes.io/part-of: argocd - name: appprojects.argoproj.io -spec: - group: argoproj.io - names: - kind: AppProject - listKind: AppProjectList - plural: appprojects - shortNames: - - appproj - - appprojs - singular: appproject - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: 'AppProject provides a logical grouping of applications, providing - controls for: * where the apps may deploy to (cluster whitelist) * what - may be deployed (repository whitelist, resource whitelist/blacklist) * who - can access these applications (roles, OIDC group claims bindings) * and - what they can do (RBAC policies) * automation access to these roles (JWT - tokens)' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AppProjectSpec is the specification of an AppProject - properties: - clusterResourceBlacklist: - description: ClusterResourceBlacklist contains list of blacklisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - clusterResourceWhitelist: - description: ClusterResourceWhitelist contains list of whitelisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - description: - description: Description contains optional project description - type: string - destinations: - description: Destinations contains list of destinations available - for deployment - items: - description: ApplicationDestination holds information about the - application's destination - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - type: array - namespaceResourceBlacklist: - description: NamespaceResourceBlacklist contains list of blacklisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - namespaceResourceWhitelist: - description: NamespaceResourceWhitelist contains list of whitelisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - orphanedResources: - description: OrphanedResources specifies if controller should monitor - orphaned resources of apps in this project - properties: - ignore: - description: Ignore contains a list of resources that are to be - excluded from orphaned resources monitoring - items: - description: OrphanedResourceKey is a reference to a resource - to be ignored from - properties: - group: - type: string - kind: - type: string - name: - type: string - type: object - type: array - warn: - description: Warn indicates if warning condition should be created - for apps which have orphaned resources - type: boolean - type: object - permitOnlyProjectScopedClusters: - description: PermitOnlyProjectScopedClusters determines whether destinations - can only reference clusters which are project-scoped - type: boolean - roles: - description: Roles are user defined RBAC roles associated with this - project - items: - description: ProjectRole represents a role that has access to a - project - properties: - description: - description: Description is a description of the role - type: string - groups: - description: Groups are a list of OIDC group claims bound to - this role - items: - type: string - type: array - jwtTokens: - description: JWTTokens are a list of generated JWT tokens bound - to this role - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - name: - description: Name is a name for this role - type: string - policies: - description: Policies Stores a list of casbin formatted strings - that define access policies for the role in the project - items: - type: string - type: array - required: - - name - type: object - type: array - signatureKeys: - description: SignatureKeys contains a list of PGP key IDs that commits - in Git must be signed with in order to be allowed for sync - items: - description: SignatureKey is the specification of a key required - to verify commit signatures with - properties: - keyID: - description: The ID of the key in hexadecimal notation - type: string - required: - - keyID - type: object - type: array - sourceNamespaces: - description: SourceNamespaces defines the namespaces application resources - are allowed to be created in - items: - type: string - type: array - sourceRepos: - description: SourceRepos contains list of repository URLs which can - be used for deployment - items: - type: string - type: array - syncWindows: - description: SyncWindows controls when syncs can be run for apps in - this project - items: - description: SyncWindow contains the kind, time, duration and attributes - that are used to assign the syncWindows to apps - properties: - applications: - description: Applications contains a list of applications that - the window will apply to - items: - type: string - type: array - clusters: - description: Clusters contains a list of clusters that the window - will apply to - items: - type: string - type: array - duration: - description: Duration is the amount of time the sync window - will be open - type: string - kind: - description: Kind defines if the window allows or blocks syncs - type: string - manualSync: - description: ManualSync enables manual syncs when they would - otherwise be blocked - type: boolean - namespaces: - description: Namespaces contains a list of namespaces that the - window will apply to - items: - type: string - type: array - schedule: - description: Schedule is the time the window will begin, specified - in cron format - type: string - timeZone: - description: TimeZone of the sync that will be applied to the - schedule - type: string - type: object - type: array - type: object - status: - description: AppProjectStatus contains status information for AppProject - CRs - properties: - jwtTokensByRole: - additionalProperties: - description: JWTTokens represents a list of JWT tokens - properties: - items: - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - type: object - description: JWTTokensByRole contains a list of JWT tokens issued - for a given role - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml deleted file mode 100644 index c3248d4740..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/07_customresourcedefinition_argocdexports.argoproj.io.yaml +++ /dev/null @@ -1,257 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - name: argocdexports.argoproj.io -spec: - group: argoproj.io - names: - kind: ArgoCDExport - listKind: ArgoCDExportList - plural: argocdexports - singular: argocdexport - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ArgoCDExport is the Schema for the argocdexports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ArgoCDExportSpec defines the desired state of ArgoCDExport - properties: - argocd: - description: Argocd is the name of the ArgoCD instance to export. - type: string - image: - description: Image is the container image to use for the export Job. - type: string - schedule: - description: Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. - type: string - storage: - description: Storage defines the storage configuration options. - properties: - backend: - description: Backend defines the storage backend to use, must - be "local" (the default), "aws", "azure" or "gcp". - type: string - pvc: - description: PVC is the desired characteristics for a PersistentVolumeClaim. - properties: - accessModes: - description: 'AccessModes contains the desired access modes - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: 'This field can be used to specify either: * - An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) If the provisioner - or an external controller can support the specified data - source, it will create a new volume based on the contents - of the specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field will always have the - same contents as the DataSourceRef field.' - properties: - apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - dataSourceRef: - description: 'Specifies the object from which to populate - the volume with data, if a non-empty volume is desired. - This may be any local object from a non-empty API group - (non core object) or a PersistentVolumeClaim object. When - this field is specified, volume binding will only succeed - if the type of the specified object matches some installed - volume populator or dynamic provisioner. This field will - replace the functionality of the DataSource field and as - such if both fields are non-empty, they must have the same - value. For backwards compatibility, both fields (DataSource - and DataSourceRef) will be set to the same value automatically - if one of them is empty and the other is non-empty. There - are two important differences between DataSource and DataSourceRef: - * While DataSource only allows two specific types of objects, - DataSourceRef allows any non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed values (dropping - them), DataSourceRef preserves all values, and generates - an error if a disallowed value is specified. (Alpha) Using - this field requires the AnyVolumeDataSource feature gate - to be enabled.' - properties: - apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources the - volume should have. If RecoverVolumeExpansionFailure feature - is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher - than capacity recorded in the status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - selector: - description: A label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume is required - by the claim. Value of Filesystem is implied when not included - in claim spec. - type: string - volumeName: - description: VolumeName is the binding reference to the PersistentVolume - backing this claim. - type: string - type: object - secretName: - description: SecretName is the name of a Secret with encryption - key, credentials, etc. - type: string - type: object - version: - description: Version is the tag/digest to use for the export Job container - image. - type: string - required: - - argocd - type: object - status: - description: ArgoCDExportStatus defines the observed state of ArgoCDExport - properties: - phase: - description: 'Phase is a simple, high-level summary of where the ArgoCDExport - is in its lifecycle. There are five possible phase values: Pending: - The ArgoCDExport has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: - All of the containers for the ArgoCDExport are still running, or - in the process of starting or restarting. Succeeded: All containers - for the ArgoCDExport have terminated in success, and will not be - restarted. Failed: At least one container has terminated in failure, - either exited with non-zero status or was terminated by the system. - Unknown: For some reason the state of the ArgoCDExport could not - be obtained.' - type: string - required: - - phase - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml deleted file mode 100644 index 426a186d4e..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/08_customresourcedefinition_argocds.argoproj.io.yaml +++ /dev/null @@ -1,6443 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - name: argocds.argoproj.io -spec: - group: argoproj.io - names: - kind: ArgoCD - listKind: ArgoCDList - plural: argocds - singular: argocd - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ArgoCD is the Schema for the argocds API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ArgoCDSpec defines the desired state of ArgoCD - properties: - applicationInstanceLabelKey: - description: ApplicationInstanceLabelKey is the key name where Argo - CD injects the app name as a tracking label. - type: string - applicationSet: - description: ArgoCDApplicationSet defines whether the Argo CD ApplicationSet - controller should be installed. - properties: - env: - description: Env lets you specify environment for applicationSet - controller pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - extraCommandArgs: - description: ExtraCommandArgs allows users to pass command line - arguments to ApplicationSet controller. They get added to default - command line arguments provided by the operator. Please note - that the command line arguments provided as part of ExtraCommandArgs - will not overwrite the default command line arguments. - items: - type: string - type: array - image: - description: Image is the Argo CD ApplicationSet image (optional) - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the ApplicationSet controller. Defaults to ArgoCDDefaultLogLevel - if not set. Valid options are debug,info, error, and warn. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for ApplicationSet. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Argo CD ApplicationSet image tag. - (optional) - type: string - webhookServer: - description: WebhookServerSpec defines the options for the ApplicationSet - Webhook Server component. - properties: - host: - description: Host is the hostname to use for Ingress/Route - resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Application set webhook component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - apply to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress - only supports a single TLS port, 443. If multiple members - of this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified - through the SNI TLS extension, if the ingress controller - fulfilling the ingress supports SNI. - items: - description: IngressTLS describes the transport layer - security associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included - in the TLS certificate. The values in this list - must match the name/s used in the tlsSecret. Defaults - to the wildcard host setting for the loadbalancer - controller fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret - used to terminate TLS traffic on port 443. Field - is left optional to allow TLS routing based on - SNI hostname alone. If the SNI host in a listener - conflicts with the "Host" header field used by - an IngressRule, the SNI host is used for termination - and value of the Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Application set webhook component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - use for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the - Route resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the - contents of the ca certificate of the final destination. When - using reencrypt termination this file should be - provided in order to have routers use it for health - checks on the secure connection. If this field is - not specified, the router may provide its own destination - CA and perform hostname validation using the short - service name (service.namespace.svc), which allows - infrastructure generated certificates to automatically - verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to - a route. While each router may make its own decisions - on which ports to expose, this is normally port - 80. \n * Allow - traffic is sent to the server on - the insecure port (default) * Disable - no traffic - is allowed on the insecure port. * Redirect - clients - are redirected to the secure port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - type: object - type: object - banner: - description: Banner defines an additional banner to be displayed in - Argo CD UI - properties: - content: - description: Content defines the banner message content to display - type: string - url: - description: URL defines an optional URL to be used as banner - message link - type: string - required: - - content - type: object - configManagementPlugins: - description: ConfigManagementPlugins is used to specify additional - config management plugins. - type: string - controller: - description: Controller defines the Application Controller options - for ArgoCD. - properties: - appSync: - description: "AppSync is used to control the sync frequency, by - default the ArgoCD controller polls Git every 3m. \n Set this - to a duration, e.g. 10m or 600s to control the synchronisation - frequency." - type: string - env: - description: Env lets you specify environment for application - controller pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - logFormat: - description: LogFormat refers to the log format used by the Application - Controller component. Defaults to ArgoCDDefaultLogFormat if - not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel refers to the log level used by the Application - Controller component. Defaults to ArgoCDDefaultLogLevel if not - configured. Valid options are debug, info, error, and warn. - type: string - parallelismLimit: - description: ParallelismLimit defines the limit for parallel kubectl - operations - format: int32 - type: integer - processors: - description: Processors contains the options for the Application - Controller processors. - properties: - operation: - description: Operation is the number of application operation - processors. - format: int32 - type: integer - status: - description: Status is the number of application status processors. - format: int32 - type: integer - type: object - resources: - description: Resources defines the Compute Resources required - by the container for the Application Controller. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - sharding: - description: Sharding contains the options for the Application - Controller sharding configuration. - properties: - enabled: - description: Enabled defines whether sharding should be enabled - on the Application Controller component. - type: boolean - replicas: - description: Replicas defines the number of replicas to run - in the Application controller shard. - format: int32 - type: integer - type: object - type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object - disableAdmin: - description: DisableAdmin will disable the admin user. - type: boolean - extraConfig: - additionalProperties: - type: string - description: "ExtraConfig can be used to add fields to Argo CD configmap - that are not supported by Argo CD CRD. \n Note: ExtraConfig takes - precedence over Argo CD CRD. For example, A user sets `argocd.Spec.DisableAdmin` - = true and also `a.Spec.ExtraConfig[\"admin.enabled\"]` = true. - In this case, operator updates Argo CD Configmap as follows -> argocd-cm.Data[\"admin.enabled\"] - = true." - type: object - gaAnonymizeUsers: - description: GAAnonymizeUsers toggles user IDs being hashed before - sending to google analytics. - type: boolean - gaTrackingID: - description: GATrackingID is the google analytics tracking ID to use. - type: string - grafana: - description: Grafana defines the Grafana server options for ArgoCD. - properties: - enabled: - description: Enabled will toggle Grafana support globally for - ArgoCD. - type: boolean - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - image: - description: Image is the Grafana container image. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Grafana component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - resources: - description: Resources defines the Compute Resources required - by the container for Grafana. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Grafana component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - size: - description: Size is the replica count for the Grafana Deployment. - format: int32 - type: integer - version: - description: Version is the Grafana container image tag. - type: string - required: - - enabled - type: object - ha: - description: HA options for High Availability support for the Redis - component. - properties: - enabled: - description: Enabled will toggle HA support globally for Argo - CD. - type: boolean - redisProxyImage: - description: RedisProxyImage is the Redis HAProxy container image. - type: string - redisProxyVersion: - description: RedisProxyVersion is the Redis HAProxy container - image tag. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for HA. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - enabled - type: object - helpChatText: - description: HelpChatText is the text for getting chat help, defaults - to "Chat now!" - type: string - helpChatURL: - description: HelpChatURL is the URL for getting chat help, this will - typically be your Slack channel for support. - type: string - image: - description: Image is the ArgoCD container image for all ArgoCD components. - type: string - import: - description: Import is the import/restore options for ArgoCD. - properties: - name: - description: Name of an ArgoCDExport from which to import data. - type: string - namespace: - description: Namespace for the ArgoCDExport, defaults to the same - namespace as the ArgoCD. - type: string - required: - - name - type: object - initialRepositories: - description: InitialRepositories to configure Argo CD with upon creation - of the cluster. - type: string - initialSSHKnownHosts: - description: InitialSSHKnownHosts defines the SSH known hosts data - upon creation of the cluster for connecting Git repositories via - SSH. - properties: - excludedefaulthosts: - description: ExcludeDefaultHosts describes whether you would like - to include the default list of SSH Known Hosts provided by ArgoCD. - type: boolean - keys: - description: Keys describes a custom set of SSH Known Hosts that - you would like to have included in your ArgoCD server. - type: string - type: object - kustomizeBuildOptions: - description: KustomizeBuildOptions is used to specify build options/parameters - to use with `kustomize build`. - type: string - kustomizeVersions: - description: KustomizeVersions is a listing of configured versions - of Kustomize to be made available within ArgoCD. - items: - description: KustomizeVersionSpec is used to specify information - about a kustomize version to be used within ArgoCD. - properties: - path: - description: Path is the path to a configured kustomize version - on the filesystem of your repo server. - type: string - version: - description: Version is a configured kustomize version in the - format of vX.Y.Z - type: string - type: object - type: array - monitoring: - description: Monitoring defines whether workload status monitoring - configuration for this instance. - properties: - enabled: - description: Enabled defines whether workload status monitoring - is enabled for this instance or not - type: boolean - required: - - enabled - type: object - nodePlacement: - description: NodePlacement defines NodeSelectors and Taints for Argo - CD workloads - properties: - nodeSelector: - additionalProperties: - type: string - description: NodeSelector is a field of PodSpec, it is a map of - key value pairs used for node selection - type: object - tolerations: - description: Tolerations allow the pods to schedule onto nodes - with matching taints - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - notifications: - description: Notifications defines whether the Argo CD Notifications - controller should be installed. - properties: - enabled: - description: Enabled defines whether argocd-notifications controller - should be deployed or not - type: boolean - env: - description: Env let you specify environment variables for Notifications - pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - image: - description: Image is the Argo CD Notifications image (optional) - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the argocd-notifications. Defaults to ArgoCDDefaultLogLevel - if not set. Valid options are debug,info, error, and warn. - type: string - replicas: - description: Replicas defines the number of replicas to run for - notifications-controller - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for Argo CD Notifications. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Argo CD Notifications image tag. (optional) - type: string - required: - - enabled - type: object - oidcConfig: - description: OIDCConfig is the OIDC configuration as an alternative - to dex. - type: string - prometheus: - description: Prometheus defines the Prometheus server options for - ArgoCD. - properties: - enabled: - description: Enabled will toggle Prometheus support globally for - ArgoCD. - type: boolean - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Prometheus component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Prometheus component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - size: - description: Size is the replica count for the Prometheus StatefulSet. - format: int32 - type: integer - required: - - enabled - type: object - rbac: - description: RBAC defines the RBAC configuration for Argo CD. - properties: - defaultPolicy: - description: DefaultPolicy is the name of the default role which - Argo CD will falls back to, when authorizing API requests (optional). - If omitted or empty, users may be still be able to login, but - will see no apps, projects, etc... - type: string - policy: - description: 'Policy is CSV containing user-defined RBAC policies - and role definitions. Policy rules are in the form: p, subject, - resource, action, object, effect Role definitions and bindings - are in the form: g, subject, inherited-subject See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md - for additional information.' - type: string - policyMatcherMode: - description: PolicyMatcherMode configures the matchers function - mode for casbin. There are two options for this, 'glob' for - glob matcher or 'regex' for regex matcher. - type: string - scopes: - description: 'Scopes controls which OIDC scopes to examine during - rbac enforcement (in addition to `sub` scope). If omitted, defaults - to: ''[groups]''.' - type: string - type: object - redis: - description: Redis defines the Redis server options for ArgoCD. - properties: - autotls: - description: 'AutoTLS specifies the method to use for automatic - TLS configuration for the redis server The value specified here - can currently be: - openshift - Use the OpenShift service CA - to request TLS config' - type: string - disableTLSVerification: - description: DisableTLSVerification defines whether redis server - API should be accessed using strict TLS validation - type: boolean - image: - description: Image is the Redis container image. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for Redis. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Redis container image tag. - type: string - type: object - repo: - description: Repo defines the repo server options for Argo CD. - properties: - autotls: - description: 'AutoTLS specifies the method to use for automatic - TLS configuration for the repo server The value specified here - can currently be: - openshift - Use the OpenShift service CA - to request TLS config' - type: string - env: - description: Env lets you specify environment for repo server - pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - execTimeout: - description: ExecTimeout specifies the timeout in seconds for - tool execution - type: integer - extraRepoCommandArgs: - description: Extra Command arguments allows users to pass command - line arguments to repo server workload. They get added to default - command line arguments provided by the operator. Please note - that the command line arguments provided as part of ExtraRepoCommandArgs - will not overwrite the default command line arguments. - items: - type: string - type: array - image: - description: Image is the ArgoCD Repo Server container image. - type: string - initContainers: - description: InitContainers defines the list of initialization - containers for the repo server deployment - items: - description: A single application container that you want to - run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s - CMD is used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s environment. - If a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never be expanded, - regardless of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. - The docker image''s ENTRYPOINT is used if this is not - provided. Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable cannot - be resolved, the reference in the input string will be - unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported as - an event when the container is starting. When a key exists - in multiple sources, the value associated with the last - source will take precedence. Values defined by an Env - with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a - set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret must be - defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management - to default or override container images in workload controllers - like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent - otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take - in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according to - its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a - container is terminated due to an API request or management - event such as liveness/startup probe failure, preemption, - resource contention, etc. The handler is not called - if the container crashes or exits. The Pod''s termination - grace period countdown begins before the PreStop hook - is executed. Regardless of the outcome of the handler, - the container will eventually terminate within the - Pod''s termination grace period (unless delayed by - finalizers). Other management of the container blocks - until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container - will be restarted if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but is - primarily informational. Not specifying a port here DOES - NOT prevent that port from being exposed. Any port which - is listening on the default "0.0.0.0" address inside a - container will be accessible from the network. Cannot - be updated. - items: - description: ContainerPort represents a network port in - a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, 0 - < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in a - pod must have a unique name. Name for the port that - can be referred to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if the - probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields of - SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as Privileged - 2) has CAP_SYS_ADMIN Note that this field cannot be - set when spec.os.name is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this field - cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if - it does. If unset or false, no such validation will - be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the - container. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is - windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this container. - If seccomp options are provided at both the pod & - container level, the container options override the - pod options. Note that this field cannot be set when - spec.os.name is windows. - properties: - localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative to - the kubelet's configured seccomp profile location. - Must only be set if type is "Localhost". - type: string - type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n - Localhost - a profile defined in a file on the - node should be used. RuntimeDefault - the container - runtime default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options from the - PodSecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored - by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the - Pod. All of a Pod's containers must have the same - effective HostProcess value (it is not allowed - to have a mix of HostProcess containers and non-HostProcess - containers). In addition, if HostProcess is true - then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully - initialized. If specified, no other probes are executed - until this completes successfully. If this probe fails, - the Pod will be restarted, just as if the livenessProbe - failed. This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it might - take a long time to load data or warm a cache, than during - steady-state operation. This cannot be updated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer - for stdin in the container runtime. If this is not set, - reads from stdin in the container will always result in - EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is empty - until the first client attaches to stdin, and then remains - open and accepts data until the client disconnects, at - which time stdin is closed and remains closed until the - container is restarted. If this flag is false, a container - processes that reads from stdin will never receive an - EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written is - mounted into the container''s filesystem. Message written - is intended to be brief final status, such as an assertion - failure message. Will be truncated by the node if greater - than 4096 bytes. The total message length across all containers - will be limited to 12kb. Defaults to /dev/termination-log. - Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last chunk - of container log output if the termination message file - is empty and the container exited with an error. The log - output is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY - for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which the - volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and the - other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults to - "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the container's - environment. Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which might - be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - logFormat: - description: LogFormat describes the log format that should be - used by the Repo Server. Defaults to ArgoCDDefaultLogFormat - if not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel describes the log level that should be used - by the Repo Server. Defaults to ArgoCDDefaultLogLevel if not - set. Valid options are debug, info, error, and warn. - type: string - mountsatoken: - description: MountSAToken describes whether you would like to - have the Repo server mount the service account token - type: boolean - replicas: - description: Replicas defines the number of replicas for argocd-repo-server. - Value should be greater than or equal to 0. Default is nil. - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for Redis. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - serviceaccount: - description: ServiceAccount defines the ServiceAccount user that - you would like the Repo server to use - type: string - sidecarContainers: - description: SidecarContainers defines the list of sidecar containers - for the repo server deployment - items: - description: A single application container that you want to - run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s - CMD is used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s environment. - If a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never be expanded, - regardless of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. - The docker image''s ENTRYPOINT is used if this is not - provided. Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable cannot - be resolved, the reference in the input string will be - unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported as - an event when the container is starting. When a key exists - in multiple sources, the value associated with the last - source will take precedence. Values defined by an Env - with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a - set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret must be - defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management - to default or override container images in workload controllers - like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent - otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take - in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according to - its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a - container is terminated due to an API request or management - event such as liveness/startup probe failure, preemption, - resource contention, etc. The handler is not called - if the container crashes or exits. The Pod''s termination - grace period countdown begins before the PreStop hook - is executed. Regardless of the outcome of the handler, - the container will eventually terminate within the - Pod''s termination grace period (unless delayed by - finalizers). Other management of the container blocks - until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this - field and lifecycle hooks will fail in runtime - when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container - will be restarted if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but is - primarily informational. Not specifying a port here DOES - NOT prevent that port from being exposed. Any port which - is listening on the default "0.0.0.0" address inside a - container will be accessible from the network. Cannot - be updated. - items: - description: ContainerPort represents a network port in - a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, 0 - < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in a - pod must have a unique name. Name for the port that - can be referred to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if the - probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields of - SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as Privileged - 2) has CAP_SYS_ADMIN Note that this field cannot be - set when spec.os.name is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this field - cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if - it does. If unset or false, no such validation will - be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the - container. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is - windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this container. - If seccomp options are provided at both the pod & - container level, the container options override the - pod options. Note that this field cannot be set when - spec.os.name is windows. - properties: - localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative to - the kubelet's configured seccomp profile location. - Must only be set if type is "Localhost". - type: string - type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n - Localhost - a profile defined in a file on the - node should be used. RuntimeDefault - the container - runtime default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options from the - PodSecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set - when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored - by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the - Pod. All of a Pod's containers must have the same - effective HostProcess value (it is not allowed - to have a mix of HostProcess containers and non-HostProcess - containers). In addition, if HostProcess is true - then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully - initialized. If specified, no other probes are executed - until this completes successfully. If this probe fails, - the Pod will be restarted, just as if the livenessProbe - failed. This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it might - take a long time to load data or warm a cache, than during - steady-state operation. This cannot be updated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute - inside the container, the working directory for - the command is root ('/') in the container's - filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you need - to explicitly call out to that shell. Exit status - of 0 is treated as live/healthy and non-zero is - unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC - port. This is an alpha field and requires enabling - GRPCContainerProbe feature gate. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to - the pod IP. You probably want to set "Host" in - httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting to the - host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum - value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. If this value is nil, - the pod's terminationGracePeriodSeconds will be used. - Otherwise, this value overrides the value provided - by the pod spec. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). This is - a beta field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which the probe - times out. Defaults to 1 second. Minimum value is - 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer - for stdin in the container runtime. If this is not set, - reads from stdin in the container will always result in - EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is empty - until the first client attaches to stdin, and then remains - open and accepts data until the client disconnects, at - which time stdin is closed and remains closed until the - container is restarted. If this flag is false, a container - processes that reads from stdin will never receive an - EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written is - mounted into the container''s filesystem. Message written - is intended to be brief final status, such as an assertion - failure message. Will be truncated by the node if greater - than 4096 bytes. The total message length across all containers - will be limited to 12kb. Defaults to /dev/termination-log. - Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last chunk - of container log output if the termination message file - is empty and the container exited with an error. The log - output is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY - for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which the - volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and the - other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults to - "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the container's - environment. Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which might - be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - verifytls: - description: VerifyTLS defines whether repo server API should - be accessed using strict TLS validation - type: boolean - version: - description: Version is the ArgoCD Repo Server container image - tag. - type: string - volumeMounts: - description: VolumeMounts adds volumeMounts to the repo server - container - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: Volumes adds volumes to the repo server deployment - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify - the partition as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the property - empty).' - format: int32 - type: integer - readOnly: - description: 'Specify "true" to force and set the ReadOnly - property in VolumeMounts to "true". If omitted, the - default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: boolean - volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: string - required: - - volumeID - type: object - azureDisk: - description: AzureDisk represents an Azure Data Disk mount - on the host and bind mount to the pod. - properties: - cachingMode: - description: 'Host Caching mode: None, Read Only, Read - Write.' - type: string - diskName: - description: The Name of the data disk in the blob storage - type: string - diskURI: - description: The URI the data disk in the blob storage - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: the name of secret that contains Azure - Storage Account Name and Key - type: string - shareName: - description: Share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: CephFS represents a Ceph FS mount on the host - that shares a pod's lifetime - properties: - monitors: - description: 'Required: Monitors is a collection of - Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - items: - type: string - type: array - path: - description: 'Optional: Used as the mounted root, rather - than the full Ceph tree, default is /' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: boolean - secretFile: - description: 'Optional: SecretFile is the path to key - ring for User, default is /etc/ceph/user.secret More - info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - secretRef: - description: 'Optional: SecretRef is reference to the - authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - required: - - monitors - type: object - cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: boolean - secretRef: - description: 'Optional: points to a secret object containing - parameters used to connect to OpenStack.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - required: - - volumeID - type: object - configMap: - description: ConfigMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. Defaults - to 0644. Directories within the path are not affected - by this setting. This might be in conflict with other - options that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced ConfigMap will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the ConfigMap, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set - permissions on this file. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys - must be defined - type: boolean - type: object - csi: - description: CSI (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: Driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. - type: string - fsType: - description: Filesystem type to mount. Ex. "ext4", "xfs", - "ntfs". If not provided, the empty value is passed - to the associated CSI driver which will determine - the default filesystem to apply. - type: string - nodePublishSecretRef: - description: NodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - readOnly: - description: Specifies a read-only configuration for - the volume. Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: DownwardAPI represents downward API about the - pod that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name and namespace - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must not - be absolute or contain the ''..'' path. Must - be utf-8 encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - properties: - medium: - description: 'What type of storage medium should back - this directory. The default is "" which means to use - the node''s default medium. Must be an empty string - (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also applicable - for memory medium. The maximum usage on memory medium - EmptyDir would be the minimum value between the SizeLimit - specified here and the sum of memory limits of all - containers in a pod. The default is nil which means - that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: "Ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - \ a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between this - volume type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." - properties: - volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." - properties: - metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. - type: object - spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. - properties: - accessModes: - description: 'AccessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: 'This field can be used to specify - either: * An existing VolumeSnapshot object - (snapshot.storage.k8s.io/VolumeSnapshot) * - An existing PVC (PersistentVolumeClaim) If - the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field will always - have the same contents as the DataSourceRef - field.' - properties: - apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - dataSourceRef: - description: 'Specifies the object from which - to populate the volume with data, if a non-empty - volume is desired. This may be any local object - from a non-empty API group (non core object) - or a PersistentVolumeClaim object. When this - field is specified, volume binding will only - succeed if the type of the specified object - matches some installed volume populator or - dynamic provisioner. This field will replace - the functionality of the DataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, both fields (DataSource and - DataSourceRef) will be set to the same value - automatically if one of them is empty and - the other is non-empty. There are two important - differences between DataSource and DataSourceRef: - * While DataSource only allows two specific - types of objects, DataSourceRef allows any - non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error if a disallowed - value is specified. (Alpha) Using this field - requires the AnyVolumeDataSource feature gate - to be enabled.' - properties: - apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. - type: string - volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: FC represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. TODO: how do we prevent errors in the - filesystem from compromising the machine' - type: string - lun: - description: 'Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - targetWWNs: - description: 'Optional: FC target worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' - items: - type: string - type: array - type: object - flexVolume: - description: FlexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. - properties: - driver: - description: Driver is the name of the driver to use - for this volume. - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". The default filesystem depends on FlexVolume - script. - type: string - options: - additionalProperties: - type: string - description: 'Optional: Extra command options if any.' - type: object - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - secretRef: - description: 'Optional: SecretRef is reference to the - secret object containing sensitive information to - pass to the plugin scripts. This may be empty if no - secret object is specified. If the secret object contains - more than one secret, all secrets are passed to the - plugin scripts.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - required: - - driver - type: object - flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated - type: string - datasetUUID: - description: UUID of the dataset. This is unique identifier - of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify - the partition as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the property - empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - format: int32 - type: integer - pdName: - description: 'Unique name of the PD resource in GCE. - Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: boolean - required: - - pdName - type: object - gitRepo: - description: 'GitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' - properties: - directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. - type: string - repository: - description: Repository URL - type: string - revision: - description: Commit hash for the specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: 'Glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' - properties: - endpoints: - description: 'EndpointsName is the endpoint name that - details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - path: - description: 'Path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: 'HostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' - properties: - path: - description: 'Path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - type: - description: 'Type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - required: - - path - type: object - iscsi: - description: 'ISCSI represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' - properties: - chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: whether support iSCSI Session CHAP authentication - type: boolean - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, new - iSCSI interface : will - be created for the connection. - type: string - iqn: - description: Target iSCSI Qualified Name. - type: string - iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). - type: string - lun: - description: iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: iSCSI Target Portal List. The portal is - either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: ReadOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. - type: boolean - secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - targetPortal: - description: iSCSI Target Portal. The Portal is either - an IP or ip_addr:port if the port is other than default - (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique - within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - nfs: - description: 'NFS represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - properties: - path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: boolean - server: - description: 'Server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - type: string - readOnly: - description: Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - pdID: - description: ID that identifies Photon Controller persistent - disk - type: string - required: - - pdID - type: object - portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: FSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: VolumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: Items for all in one resources secrets, configmaps, - and downward API - properties: - defaultMode: - description: Mode bits used to set permissions on created - files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires - decimal values for mode bits. Directories within the - path are not affected by this setting. This might - be in conflict with other options that affect the - file mode, like fsGroup, and the result can be other - mode bits set. - format: int32 - type: integer - sources: - description: list of volume projections - items: - description: Projection that may be projected along - with other supported volume types - properties: - configMap: - description: information about the configMap data - to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - downwardAPI: - description: information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute or - contain the ''..'' path. Must be utf-8 - encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env - vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - secret: - description: information about the secret data - to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - type: object - serviceAccountToken: - description: information about the serviceAccountToken - data to project - properties: - audience: - description: Audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. - format: int64 - type: integer - path: - description: Path is the path relative to - the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: Quobyte represents a Quobyte mount on the host - that shares a pod's lifetime - properties: - group: - description: Group to map volume access to Default is - no group - type: string - readOnly: - description: ReadOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. - type: boolean - registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes - type: string - tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin - type: string - user: - description: User to map volume access to Defaults to - serivceaccount user - type: string - volume: - description: Volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' - type: string - image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - keyring: - description: 'Keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - monitors: - description: 'A collection of Ceph monitors. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - items: - type: string - type: array - pool: - description: 'The rados pool name. Default is rbd. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: boolean - secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - required: - - image - - monitors - type: object - scaleIO: - description: ScaleIO represents a ScaleIO persistent volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Default is "xfs". - type: string - gateway: - description: The host address of the ScaleIO API Gateway. - type: string - protectionDomain: - description: The name of the ScaleIO Protection Domain - for the configured storage. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - description: Indicates whether the storage for a volume - should be ThickProvisioned or ThinProvisioned. Default - is ThinProvisioned. - type: string - storagePool: - description: The ScaleIO Storage Pool associated with - the protection domain. - type: string - system: - description: The name of the storage system as configured - in ScaleIO. - type: string - volumeName: - description: The name of a volume already created in - the ScaleIO system that is associated with this volume - source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: 'Secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. Defaults - to 0644. Directories within the path are not affected - by this setting. This might be in conflict with other - options that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced Secret will be projected - into the volume as a file whose name is the key and - content is the value. If specified, the listed keys - will be projected into the specified paths, and unlisted - keys will not be present. If a key is specified which - is not present in the Secret, the volume setup will - error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start - with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set - permissions on this file. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: Specify whether the Secret or its keys - must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - type: object - storageos: - description: StorageOS represents a StorageOS volume attached - and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeName: - description: VolumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. - type: string - volumeNamespace: - description: VolumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. - type: string - type: object - vsphereVolume: - description: VsphereVolume represents a vSphere volume attached - and mounted on kubelets host machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. - type: string - volumePath: - description: Path that identifies vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - repositoryCredentials: - description: RepositoryCredentials are the Git pull credentials to - configure Argo CD with upon creation of the cluster. - type: string - resourceActions: - description: ResourceActions customizes resource action behavior. - items: - description: Resource Customization for custom action - properties: - action: - type: string - group: - type: string - kind: - type: string - type: object - type: array - resourceCustomizations: - description: 'ResourceCustomizations customizes resource behavior. - Keys are in the form: group/Kind. Please note that this is being - deprecated in favor of ResourceHealthChecks, ResourceIgnoreDifferences, - and ResourceActions.' - type: string - resourceExclusions: - description: ResourceExclusions is used to completely ignore entire - classes of resource group/kinds. - type: string - resourceHealthChecks: - description: ResourceHealthChecks customizes resource health check - behavior. - items: - description: Resource Customization for custom health check - properties: - check: - type: string - group: - type: string - kind: - type: string - type: object - type: array - resourceIgnoreDifferences: - description: ResourceIgnoreDifferences customizes resource ignore - difference behavior. - properties: - all: - properties: - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - managedFieldsManagers: - items: - type: string - type: array - type: object - resourceIdentifiers: - items: - description: Resource Customization fields for ignore difference - properties: - customization: - properties: - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - managedFieldsManagers: - items: - type: string - type: array - type: object - group: - type: string - kind: - type: string - type: object - type: array - type: object - resourceInclusions: - description: ResourceInclusions is used to only include specific group/kinds - in the reconciliation process. - type: string - resourceTrackingMethod: - description: ResourceTrackingMethod defines how Argo CD should track - resources that it manages - type: string - server: - description: Server defines the options for the ArgoCD Server component. - properties: - autoscale: - description: Autoscale defines the autoscale options for the Argo - CD Server component. - properties: - enabled: - description: Enabled will toggle autoscaling support for the - Argo CD Server component. - type: boolean - hpa: - description: HPA defines the HorizontalPodAutoscaler options - for the Argo CD Server component. - properties: - maxReplicas: - description: upper limit for the number of pods that can - be set by the autoscaler; cannot be smaller than MinReplicas. - format: int32 - type: integer - minReplicas: - description: minReplicas is the lower limit for the number - of replicas to which the autoscaler can scale down. It - defaults to 1 pod. minReplicas is allowed to be 0 if - the alpha feature gate HPAScaleToZero is enabled and - at least one Object or External metric is configured. Scaling - is active as long as at least one metric value is available. - format: int32 - type: integer - scaleTargetRef: - description: reference to scaled resource; horizontal - pod autoscaler will learn the current resource consumption - and will set the desired number of pods by using its - Scale subresource. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' - type: string - name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - required: - - kind - - name - type: object - targetCPUUtilizationPercentage: - description: target average CPU utilization (represented - as a percentage of requested CPU) over all the pods; - if not specified the default autoscaling policy will - be used. - format: int32 - type: integer - required: - - maxReplicas - - scaleTargetRef - type: object - required: - - enabled - type: object - env: - description: Env lets you specify environment for API server pods - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - extraCommandArgs: - description: Extra Command arguments that would append to the - Argo CD server command. ExtraCommandArgs will not be added, - if one of these commands is already part of the server command - with same or different value. - items: - type: string - type: array - grpc: - description: GRPC defines the state for the Argo CD Server GRPC - options. - properties: - host: - description: Host is the hostname to use for Ingress/Route - resources. - type: string - ingress: - description: Ingress defines the desired state for the Argo - CD Server GRPC Ingress. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to - apply to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress - only supports a single TLS port, 443. If multiple members - of this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified - through the SNI TLS extension, if the ingress controller - fulfilling the ingress supports SNI. - items: - description: IngressTLS describes the transport layer - security associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included - in the TLS certificate. The values in this list - must match the name/s used in the tlsSecret. Defaults - to the wildcard host setting for the loadbalancer - controller fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret - used to terminate TLS traffic on port 443. Field - is left optional to allow TLS routing based on - SNI hostname alone. If the SNI host in a listener - conflicts with the "Host" header field used by - an IngressRule, the SNI host is used for termination - and value of the Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - type: object - host: - description: Host is the hostname to use for Ingress/Route resources. - type: string - ingress: - description: Ingress defines the desired state for an Ingress - for the Argo CD Server component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to apply - to the Ingress. - type: object - enabled: - description: Enabled will toggle the creation of the Ingress. - type: boolean - ingressClassName: - description: IngressClassName for the Ingress resource. - type: string - path: - description: Path used for the Ingress resource. - type: string - tls: - description: TLS configuration. Currently the Ingress only - supports a single TLS port, 443. If multiple members of - this list specify different hosts, they will be multiplexed - on the same port according to the hostname specified through - the SNI TLS extension, if the ingress controller fulfilling - the ingress supports SNI. - items: - description: IngressTLS describes the transport layer security - associated with an Ingress. - properties: - hosts: - description: Hosts are a list of hosts included in the - TLS certificate. The values in this list must match - the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller - fulfilling this Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: SecretName is the name of the secret used - to terminate TLS traffic on port 443. Field is left - optional to allow TLS routing based on SNI hostname - alone. If the SNI host in a listener conflicts with - the "Host" header field used by an IngressRule, the - SNI host is used for termination and value of the - Host header is used for routing. - type: string - type: object - type: array - required: - - enabled - type: object - insecure: - description: Insecure toggles the insecure flag. - type: boolean - logFormat: - description: LogFormat refers to the log level to be used by the - ArgoCD Server component. Defaults to ArgoCDDefaultLogFormat - if not configured. Valid options are text or json. - type: string - logLevel: - description: LogLevel refers to the log level to be used by the - ArgoCD Server component. Defaults to ArgoCDDefaultLogLevel if - not set. Valid options are debug, info, error, and warn. - type: string - replicas: - description: Replicas defines the number of replicas for argocd-server. - Default is nil. Value should be greater than or equal to 0. - Value will be ignored if Autoscaler is enabled. - format: int32 - type: integer - resources: - description: Resources defines the Compute Resources required - by the container for the Argo CD server component. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - route: - description: Route defines the desired state for an OpenShift - Route for the Argo CD Server component. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is the map of annotations to use - for the Route resource. - type: object - enabled: - description: Enabled will toggle the creation of the OpenShift - Route. - type: boolean - labels: - additionalProperties: - type: string - description: Labels is the map of labels to use for the Route - resource - type: object - path: - description: Path the router watches for, to route traffic - for to the service. - type: string - tls: - description: TLS provides the ability to configure certificates - and termination for the Route. - properties: - caCertificate: - description: caCertificate provides the cert authority - certificate contents - type: string - certificate: - description: certificate provides certificate contents - type: string - destinationCACertificate: - description: destinationCACertificate provides the contents - of the ca certificate of the final destination. When - using reencrypt termination this file should be provided - in order to have routers use it for health checks on - the secure connection. If this field is not specified, - the router may provide its own destination CA and perform - hostname validation using the short service name (service.namespace.svc), - which allows infrastructure generated certificates to - automatically verify. - type: string - insecureEdgeTerminationPolicy: - description: "insecureEdgeTerminationPolicy indicates - the desired behavior for insecure connections to a route. - While each router may make its own decisions on which - ports to expose, this is normally port 80. \n * Allow - - traffic is sent to the server on the insecure port - (default) * Disable - no traffic is allowed on the insecure - port. * Redirect - clients are redirected to the secure - port." - type: string - key: - description: key provides key file contents - type: string - termination: - description: termination indicates termination type. - type: string - required: - - termination - type: object - wildcardPolicy: - description: WildcardPolicy if any for the route. Currently - only 'Subdomain' or 'None' is allowed. - type: string - required: - - enabled - type: object - service: - description: Service defines the options for the Service backing - the ArgoCD Server component. - properties: - type: - description: Type is the ServiceType to use for the Service - resource. - type: string - required: - - type - type: object - type: object - sourceNamespaces: - description: SourceNamespaces defines the namespaces application resources - are allowed to be created in - items: - type: string - type: array - sso: - description: SSO defines the Single Sign-on configuration for Argo - CD - properties: - dex: - description: Dex contains the configuration for Argo CD dex authentication - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must - be a member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object - image: - description: Image is the SSO container image. - type: string - keycloak: - description: Keycloak contains the configuration for Argo CD keycloak - authentication - properties: - image: - description: Image is the Keycloak container image. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for Keycloak. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - rootCA: - description: Custom root CA certificate for communicating - with the Keycloak OIDC provider - type: string - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the Keycloak container image tag. - type: string - type: object - provider: - description: Provider installs and configures the given SSO Provider - with Argo CD. - type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string - type: object - statusBadgeEnabled: - description: StatusBadgeEnabled toggles application status badge feature. - type: boolean - tls: - description: TLS defines the TLS options for ArgoCD. - properties: - ca: - description: CA defines the CA options. - properties: - configMapName: - description: ConfigMapName is the name of the ConfigMap containing - the CA Certificate. - type: string - secretName: - description: SecretName is the name of the Secret containing - the CA Certificate and Key. - type: string - type: object - initialCerts: - additionalProperties: - type: string - description: InitialCerts defines custom TLS certificates upon - creation of the cluster for connecting Git repositories via - HTTPS. - type: object - type: object - usersAnonymousEnabled: - description: UsersAnonymousEnabled toggles anonymous user access. - The anonymous users get default role permissions specified argocd-rbac-cm. - type: boolean - version: - description: Version is the tag to use with the ArgoCD container image - for all ArgoCD components. - type: string - type: object - status: - description: ArgoCDStatus defines the observed state of ArgoCD - properties: - applicationController: - description: 'ApplicationController is a simple, high-level summary - of where the Argo CD application controller component is in its - lifecycle. There are four possible ApplicationController values: - Pending: The Argo CD application controller component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD application controller component are in a Ready state. Failed: - At least one of the Argo CD application controller component Pods - had a failure. Unknown: The state of the Argo CD application controller - component could not be obtained.' - type: string - applicationSetController: - description: 'ApplicationSetController is a simple, high-level summary - of where the Argo CD applicationSet controller component is in its - lifecycle. There are four possible ApplicationSetController values: - Pending: The Argo CD applicationSet controller component has been - accepted by the Kubernetes system, but one or more of the required - resources have not been created. Running: All of the required Pods - for the Argo CD applicationSet controller component are in a Ready - state. Failed: At least one of the Argo CD applicationSet controller - component Pods had a failure. Unknown: The state of the Argo CD - applicationSet controller component could not be obtained.' - type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string - host: - description: Host is the hostname of the Ingress. - type: string - notificationsController: - description: 'NotificationsController is a simple, high-level summary - of where the Argo CD notifications controller component is in its - lifecycle. There are four possible NotificationsController values: - Pending: The Argo CD notifications controller component has been - accepted by the Kubernetes system, but one or more of the required - resources have not been created. Running: All of the required Pods - for the Argo CD notifications controller component are in a Ready - state. Failed: At least one of the Argo CD notifications controller - component Pods had a failure. Unknown: The state of the Argo CD - notifications controller component could not be obtained.' - type: string - phase: - description: 'Phase is a simple, high-level summary of where the ArgoCD - is in its lifecycle. There are four possible phase values: Pending: - The ArgoCD has been accepted by the Kubernetes system, but one or - more of the required resources have not been created. Available: - All of the resources for the ArgoCD are ready. Failed: At least - one resource has experienced a failure. Unknown: The state of the - ArgoCD phase could not be obtained.' - type: string - redis: - description: 'Redis is a simple, high-level summary of where the Argo - CD Redis component is in its lifecycle. There are four possible - redis values: Pending: The Argo CD Redis component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Redis component are in a Ready state. Failed: At least one - of the Argo CD Redis component Pods had a failure. Unknown: The - state of the Argo CD Redis component could not be obtained.' - type: string - redisTLSChecksum: - description: RedisTLSChecksum contains the SHA256 checksum of the - latest known state of tls.crt and tls.key in the argocd-operator-redis-tls - secret. - type: string - repo: - description: 'Repo is a simple, high-level summary of where the Argo - CD Repo component is in its lifecycle. There are four possible repo - values: Pending: The Argo CD Repo component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Repo component are in a Ready state. Failed: At least one - of the Argo CD Repo component Pods had a failure. Unknown: The - state of the Argo CD Repo component could not be obtained.' - type: string - repoTLSChecksum: - description: RepoTLSChecksum contains the SHA256 checksum of the latest - known state of tls.crt and tls.key in the argocd-repo-server-tls - secret. - type: string - server: - description: 'Server is a simple, high-level summary of where the - Argo CD server component is in its lifecycle. There are four possible - server values: Pending: The Argo CD server component has been accepted - by the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD server component are in a Ready state. Failed: At least - one of the Argo CD server component Pods had a failure. Unknown: - The state of the Argo CD server component could not be obtained.' - type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/09_deployment_argocd-operator-controller-manager.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/09_deployment_argocd-operator-controller-manager.yaml deleted file mode 100644 index 284bc54774..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/09_deployment_argocd-operator-controller-manager.yaml +++ /dev/null @@ -1,204 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-operator-controller-manager - namespace: argocd-system -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - control-plane: controller-manager - strategy: {} - template: - metadata: - annotations: - alm-examples: |- - [ - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "AppProject", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "Application", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ApplicationSet", - "metadata": { - "name": "example" - }, - "spec": null - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ArgoCD", - "metadata": { - "name": "argocd-sample" - }, - "spec": { - "controller": { - "resources": { - "limits": { - "cpu": "2000m", - "memory": "2048Mi" - }, - "requests": { - "cpu": "250m", - "memory": "1024Mi" - } - } - }, - "ha": { - "enabled": false, - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "redis": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "repo": { - "resources": { - "limits": { - "cpu": "1000m", - "memory": "512Mi" - }, - "requests": { - "cpu": "250m", - "memory": "256Mi" - } - } - }, - "server": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "125m", - "memory": "128Mi" - } - }, - "route": { - "enabled": true - } - }, - "sso": { - "dex": { - "resources": { - "limits": { - "cpu": "500m", - "memory": "256Mi" - }, - "requests": { - "cpu": "250m", - "memory": "128Mi" - } - } - }, - "provider": "dex" - } - } - }, - { - "apiVersion": "argoproj.io/v1alpha1", - "kind": "ArgoCDExport", - "metadata": { - "name": "argocdexport-sample" - }, - "spec": { - "argocd": "argocd-sample" - } - } - ] - capabilities: Deep Insights - categories: Integration & Delivery - certified: "false" - containerImage: quay.io/argoprojlabs/argocd-operator@sha256:99aeec24cc406d06d18822347d9ac3ed053a702d8419191e4e681075fed7b9bb - description: Argo CD is a declarative, GitOps continuous delivery tool for - Kubernetes. - olm.targetNamespaces: argocd-watch - operators.operatorframework.io/builder: operator-sdk-v1.10.0+git - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 - repository: https://github.com/argoproj-labs/argocd-operator - support: Argo CD - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: {} - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.annotations['olm.targetNamespaces'] - image: quay.io/argoprojlabs/argocd-operator@sha256:99aeec24cc406d06d18822347d9ac3ed053a702d8419191e4e681075fed7b9bb - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - securityContext: - runAsNonRoot: true - serviceAccountName: argocd-operator-controller-manager - terminationGracePeriodSeconds: 10 -status: {} diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml deleted file mode 100644 index cd9667a38a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - namespace: argocd-watch -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml deleted file mode 100644 index 6ba70f3e58..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 - namespace: argocd-watch -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3 -subjects: -- kind: ServiceAccount - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml deleted file mode 100644 index e69c19f45a..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - control-plane: controller-manager - name: argocd-operator-controller-manager-metrics-service - namespace: argocd-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager -status: - loadBalancer: {} diff --git a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml b/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml deleted file mode 100644 index 8e5212c47c..0000000000 --- a/test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-operator-controller-manager - namespace: argocd-system diff --git a/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/olm.operatorframework.com_ownnamespaces.yaml b/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/olm.operatorframework.com_ownnamespaces.yaml deleted file mode 100644 index 305e3c73e8..0000000000 --- a/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/olm.operatorframework.com_ownnamespaces.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: ownnamespaces.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: OwnNamespace - listKind: OwnNamespaceList - plural: ownnamespaces - singular: ownnamespace - scope: Cluster - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - testField: - type: string diff --git a/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/ownnamespaceoperator.clusterserviceversion.yaml b/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/ownnamespaceoperator.clusterserviceversion.yaml deleted file mode 100644 index d6c2a32550..0000000000 --- a/testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/ownnamespaceoperator.clusterserviceversion.yaml +++ /dev/null @@ -1,151 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: ClusterServiceVersion -metadata: - annotations: - alm-examples: |- - [ - { - "apiVersion": "ownnamespaces.olm.operatorframework.io/v1", - "kind": "OwnNamespace", - "metadata": { - "labels": { - "app.kubernetes.io/managed-by": "kustomize", - "app.kubernetes.io/name": "test" - }, - "name": "test-sample" - }, - "spec": null - } - ] - capabilities: Basic Install - createdAt: "2024-10-24T19:21:40Z" - operators.operatorframework.io/builder: operator-sdk-v1.34.1 - operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 - name: ownnamespaceoperator.v1.0.0 - namespace: placeholder -spec: - apiservicedefinitions: {} - customresourcedefinitions: - owned: - - description: A dummy resource for an operator that only supports own namespace install mode - displayName: OwnNamespace - kind: OwnNamespace - name: ownnamespaces.olm.operatorframework.io - version: v1 - description: OLM OwnNamespace Testing Operator - displayName: test-operator - icon: - - base64data: "" - mediatype: "" - install: - spec: - deployments: - - label: - app.kubernetes.io/component: controller - app.kubernetes.io/name: own-namespace-operator - app.kubernetes.io/version: 1.0.0 - name: own-namespace-operator - spec: - replicas: 1 - selector: - matchLabels: - app: ownnamespacetest - template: - metadata: - labels: - app: ownnamespacetest - spec: - terminationGracePeriodSeconds: 0 - containers: - - name: busybox - image: busybox:1.36 - command: - - 'sleep' - - '1000' - securityContext: - runAsUser: 1000 - runAsNonRoot: true - serviceAccountName: simple-bundle-manager - clusterPermissions: - - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - serviceAccountName: simple-bundle-manager - permissions: - - rules: - - apiGroups: - - "" - resources: - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - create - - update - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - serviceAccountName: simple-bundle-manager - strategy: deployment - installModes: - - supported: true - type: OwnNamespace - - supported: false - type: SingleNamespace - - supported: false - type: MultiNamespace - - supported: false - type: AllNamespaces - keywords: - - registry - links: - - name: simple-bundle - url: https://simple-bundle.domain - maintainers: - - email: main#simple-bundle.domain - name: Simple Bundle - maturity: beta - provider: - name: Simple Bundle - url: https://simple-bundle.domain - version: 1.0.0 diff --git a/testdata/images/bundles/own-namespace-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/own-namespace-operator/v1.0.0/metadata/annotations.yaml deleted file mode 100644 index 24cf5213a1..0000000000 --- a/testdata/images/bundles/own-namespace-operator/v1.0.0/metadata/annotations.yaml +++ /dev/null @@ -1,10 +0,0 @@ -annotations: - # Core bundle annotations. - operators.operatorframework.io.bundle.mediatype.v1: registry+v1 - operators.operatorframework.io.bundle.manifests.v1: manifests/ - operators.operatorframework.io.bundle.metadata.v1: metadata/ - operators.operatorframework.io.bundle.package.v1: own-namespace-operator - operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 - operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 - operators.operatorframework.io.metrics.project_layout: unknown diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml index 012afbe830..53ab7ac198 100644 --- a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml +++ b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml @@ -133,26 +133,6 @@ properties: version: 0.0.1 --- schema: olm.package -name: own-namespace-operator -defaultChannel: alpha ---- -schema: olm.channel -name: alpha -package: own-namespace-operator -entries: - - name: own-namespace-operator.1.0.0 ---- -schema: olm.bundle -name: own-namespace-operator.1.0.0 -package: own-namespace-operator -image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/own-namespace-operator:v1.0.0 -properties: - - type: olm.package - value: - packageName: own-namespace-operator - version: 1.0.0 ---- -schema: olm.package name: single-namespace-operator defaultChannel: alpha ---