From 25814d6c9e98b0907ed6e3da26880f3fd440b3f7 Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Thu, 7 Nov 2024 16:53:01 -0500 Subject: [PATCH 1/7] MachineOSConfig: set ImageSecretObjectReference to optional --- .../OnClusterBuild.yaml | 22 +++++++++++++++++-- .../v1alpha1/types_machineosconfig.go | 7 +++--- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 4 ++-- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 4 ++-- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 4 ++-- .../OnClusterBuild.yaml | 4 ++-- .../zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 4 ++-- openapi/openapi.json | 3 +-- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 4 ++-- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 4 ++-- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 4 ++-- 12 files changed, 42 insertions(+), 24 deletions(-) diff --git a/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 1c672d63edc..30484df888a 100644 --- a/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -93,7 +93,7 @@ tests: currentImagePullSecret: name: foo expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - - name: Fail on no pull secret + - name: Allows for an empty pull secret initial: | apiVersion: machineconfiguration.openshift.io/v1alpha1 kind: MachineOSConfig @@ -113,4 +113,22 @@ tests: buildOutputs: currentImagePullSecret: name: foo - expectedError: "Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + expected: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo diff --git a/machineconfiguration/v1alpha1/types_machineosconfig.go b/machineconfiguration/v1alpha1/types_machineosconfig.go index 35863517a54..01082e09102 100644 --- a/machineconfiguration/v1alpha1/types_machineosconfig.go +++ b/machineconfiguration/v1alpha1/types_machineosconfig.go @@ -104,9 +104,10 @@ type BuildInputs struct { // +optional BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` // baseImagePullSecret is the secret used to pull the base image. - // must live in the openshift-machine-config-operator namespace - // +kubebuilder:validation:Required - BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret"` + // must live in the openshift-machine-config-operator namespace if provided. + // defaults to using the cluster-wide pull secret if not specified. + // +optional + BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig // +kubebuilder:validation:Required ImageBuilder *MachineOSImageBuilder `json:"imageBuilder"` diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index aadee09ccc7..4962430502d 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index e2560073c6e..c548f9ec659 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 95fcd5c5672..431689f7b32 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 6c45f35a077..77520f59dca 100644 --- a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go index a51ffee1426..c765089afcf 100644 --- a/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go @@ -190,7 +190,7 @@ var map_BuildInputs = map[string]string{ "": "BuildInputs holds all of the information needed to trigger a build", "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", "renderedImagePushspec": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index a2430334b66..27d7cb10fc8 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -38801,7 +38801,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.R }, "baseImagePullSecret": { SchemaProps: spec.SchemaProps{ - Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", + Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), }, @@ -38859,7 +38859,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.R }, }, }, - Required: []string{"baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, + Required: []string{"imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, }, }, Dependencies: []string{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 33384de2a3c..78cd94cbdf3 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -22393,14 +22393,13 @@ "description": "BuildInputs holds all of the information needed to trigger a build", "type": "object", "required": [ - "baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec" ], "properties": { "baseImagePullSecret": { - "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", + "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" }, diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index aadee09ccc7..4962430502d 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index e2560073c6e..c548f9ec659 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 95fcd5c5672..431689f7b32 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -53,7 +53,8 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. properties: name: description: |- @@ -195,7 +196,6 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec From 4c9f154c6d95b8b0ba2d59d1ae9c53f6dc068564 Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Fri, 8 Nov 2024 17:20:58 -0500 Subject: [PATCH 2/7] Add v1 versions of OnClusterBuild APIs First step to GA'ing the currently v1alpha1 APIs. Don't add to payload manifests yet, and the featuregate is retained. --- machineconfiguration/v1/register.go | 4 + .../OnClusterBuild.yaml | 64 +++ .../OnClusterBuild.yaml | 134 ++++++ .../v1/types_machineosbuild.go | 171 ++++++++ .../v1/types_machineosconfig.go | 228 ++++++++++ ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 288 +++++++++++++ ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 288 +++++++++++++ ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 288 +++++++++++++ ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 330 ++++++++++++++ ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 330 ++++++++++++++ ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 330 ++++++++++++++ .../v1/zz_generated.deepcopy.go | 401 ++++++++++++++++++ ..._generated.featuregated-crd-manifests.yaml | 63 +++ .../OnClusterBuild.yaml | 288 +++++++++++++ .../OnClusterBuild.yaml | 330 ++++++++++++++ .../v1/zz_generated.swagger_doc_generated.go | 186 ++++++++ 16 files changed, 3723 insertions(+) create mode 100644 machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/types_machineosbuild.go create mode 100644 machineconfiguration/v1/types_machineosconfig.go create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml diff --git a/machineconfiguration/v1/register.go b/machineconfiguration/v1/register.go index bbafc28dea3..cddaa853015 100644 --- a/machineconfiguration/v1/register.go +++ b/machineconfiguration/v1/register.go @@ -34,6 +34,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &MachineConfigList{}, &MachineConfigPool{}, &MachineConfigPoolList{}, + &MachineOSConfig{}, + &MachineOSConfigList{}, + &MachineOSBuild{}, + &MachineOSBuildList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..f8668870b4f --- /dev/null +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,64 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreview] MachineOSBuild" +crdName: machineosbuilds.machineconfiguration.openshift.io +featureGate: OnClusterBuild +tests: + onCreate: + - name: Should be able to create a minimal MachineOSBuild + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + configGeneration: 1 + desiredConfig: + name: rendered-worker-abcd + version: 1 + machineOSConfig: + name: worker + renderedImagePushspec: quay.io/cdoern/mco:latest + expected: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + configGeneration: 1 + desiredConfig: + name: rendered-worker-abcd + version: 1 + machineOSConfig: + name: worker + renderedImagePushspec: quay.io/cdoern/mco:latest + - name: fail on invalid version + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + configGeneration: 1 + desiredConfig: + name: rendered-worker-abcd + version: 0 + machineOSConfig: + name: worker + renderedImagePushspec: quay.io/cdoern/mco:latest + expectedError: "Invalid value: 0: spec.version in body should be greater than or equal to 1" + - name: fail on invalid configGeneration + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + configGeneration: 0 + desiredConfig: + name: rendered-worker-abcd + version: 1 + machineOSConfig: + name: worker + renderedImagePushspec: quay.io/cdoern/mco:latest + expectedError: "Invalid value: 0: spec.configGeneration in body should be greater than or equal to 1" + diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..30484df888a --- /dev/null +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,134 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreview] MachineOSConfig" +crdName: machineosconfigs.machineconfiguration.openshift.io +featureGate: OnClusterBuild +tests: + onCreate: + - name: Should be able to create a minimal MachineOSConfig + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + - name: Fail on invalid rendered image pushspec + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: foo.bar + buildOutputs: + currentImagePullSecret: + name: foo + expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + - name: Fail on invalid base image pullspec + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: foo.bar + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + - name: Allows for an empty pull secret + initial: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1alpha1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: quay.io/cdoern/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go new file mode 100644 index 00000000000..bbd98adc77c --- /dev/null +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -0,0 +1,171 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=machineosbuilds,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1773 +// +openshift:enable:FeatureGate=OnClusterBuild +// +openshift:file-pattern=cvoRunLevel=0000_80,operatorName=machine-config,operatorOrdering=01 +// +kubebuilder:metadata:labels=openshift.io/operator-managed= +// +kubebuilder:printcolumn:name="Prepared",type="string",JSONPath=.status.conditions[?(@.type=="Prepared")].status +// +kubebuilder:printcolumn:name="Building",type="string",JSONPath=.status.conditions[?(@.type=="Building")].status +// +kubebuilder:printcolumn:name="Succeeded",type="string",JSONPath=.status.conditions[?(@.type=="Succeeded")].status +// +kubebuilder:printcolumn:name="Interrupted",type="string",JSONPath=.status.conditions[?(@.type=="Interrupted")].status +// +kubebuilder:printcolumn:name="Failed",type="string",JSONPath=.status.conditions[?(@.type=="Failed")].status + +// MachineOSBuild describes a build process managed and deployed by the MCO +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSBuild struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec describes the configuration of the machine os build + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="machineOSBuildSpec is immutable once set" + // +kubebuilder:validation:Required + Spec MachineOSBuildSpec `json:"spec"` + + // status describes the lst observed state of this machine os build + // +optional + Status MachineOSBuildStatus `json:"status"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// MachineOSBuildList describes all of the Builds on the system +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSBuildList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata"` + + Items []MachineOSBuild `json:"items"` +} + +// MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object. +type MachineOSBuildSpec struct { + // configGeneration tracks which version of MachineOSConfig this build is based off of + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Required + ConfigGeneration int64 `json:"configGeneration"` + // desiredConfig is the desired config we want to build an image for. + // +kubebuilder:validation:Required + DesiredConfig RenderedMachineConfigReference `json:"desiredConfig"` + // machineOSConfig is the config object which the build is based off of + // +kubebuilder:validation:Required + MachineOSConfig MachineOSConfigReference `json:"machineOSConfig"` + // version tracks the newest MachineOSBuild for each MachineOSConfig + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Required + Version int64 `json:"version"` + // renderedImagePushspec is set from the MachineOSConfig + // The format of the image pullspec is: + // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image reference must end with a valid :, where '' is 64 characters long and '' is any valid string Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:Required + RenderedImagePushspec string `json:"renderedImagePushspec"` +} + +// MachineOSBuildStatus describes the state of a build and other helpful information. +type MachineOSBuildStatus struct { + // conditions are state related conditions for the build. Valid types are: + // Prepared, Building, Failed, Interrupted, and Succeeded + // once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // ImageBuilderType describes the image builder set in the MachineOSConfig + // +optional + BuilderReference *MachineOSBuilderReference `json:"builderReference"` + // relatedObjects is a list of objects that are related to the build process. + RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"` + // buildStart describes when the build started. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildStart is immutable once set" + // +kubebuilder:validation:Required + BuildStart *metav1.Time `json:"buildStart"` + // buildEnd describes when the build ended. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" + //+optional + BuildEnd *metav1.Time `json:"buildEnd,omitempty"` + // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format. + // +kubebuilder:validation:XValidation:rule=`((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" + // +optional + FinalImagePushspec string `json:"finalImagePullspec,omitempty"` +} + +// MachineOSBuilderReference describes which ImageBuilder backend to use for this build/ +// +union +// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'PodImageBuilder' ? true : !has(self.buildPod)",message="buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise" +type MachineOSBuilderReference struct { + // ImageBuilderType describes the image builder set in the MachineOSConfig + // +unionDiscriminator + ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` + + // relatedObjects is a list of objects that are related to the build process. + // +unionMember,optional + PodImageBuilder *ObjectReference `json:"buildPod,omitempty"` +} + +// BuildProgess highlights some of the key phases of a build to be tracked in Conditions. +type BuildProgress string + +const ( + // prepared indicates that the build has finished preparing. A build is prepared + // by gathering the build inputs, validating them, and making sure we can do an update as specified. + MachineOSBuildPrepared BuildProgress = "Prepared" + // building indicates that the build has been kicked off with the specified image builder + MachineOSBuilding BuildProgress = "Building" + // failed indicates that during the build or preparation process, the build failed. + MachineOSBuildFailed BuildProgress = "Failed" + // interrupted indicates that the user stopped the build process by modifying part of the build config + MachineOSBuildInterrupted BuildProgress = "Interrupted" + // succeeded indicates that the build has completed and the image is ready to roll out. + MachineOSBuildSucceeded BuildProgress = "Succeeded" +) + +// Refers to the name of a rendered MachineConfig (e.g., "rendered-worker-ec40d2965ff81bce7cd7a7e82a680739", etc.): +// the build targets this MachineConfig, this is often used to tell us whether we need an update. +type RenderedMachineConfigReference struct { + // name is the name of the rendered MachineConfig object. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:Required + Name string `json:"name"` +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +type ObjectReference struct { + // group of the referent. + // +kubebuilder:validation:Required + Group string `json:"group"` + // resource of the referent. + // +kubebuilder:validation:Required + Resource string `json:"resource"` + // namespace of the referent. + // +optional + Namespace string `json:"namespace,omitempty"` + // name of the referent. + // +kubebuilder:validation:Required + Name string `json:"name"` +} + +// MachineOSConfigReference refers to the MachineOSConfig this build is based off of +type MachineOSConfigReference struct { + // name of the MachineOSConfig + // +kubebuilder:validation:Required + Name string `json:"name"` +} diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go new file mode 100644 index 00000000000..907d6836ff3 --- /dev/null +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -0,0 +1,228 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=machineosconfigs,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1773 +// +openshift:enable:FeatureGate=OnClusterBuild +// +openshift:file-pattern=cvoRunLevel=0000_80,operatorName=machine-config,operatorOrdering=01 +// +kubebuilder:metadata:labels=openshift.io/operator-managed= + +// MachineOSConfig describes the configuration for a build process managed by the MCO +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSConfig struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec describes the configuration of the machineosconfig + // +kubebuilder:validation:Required + Spec MachineOSConfigSpec `json:"spec"` + + // status describes the status of the machineosconfig + // +optional + Status MachineOSConfigStatus `json:"status,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// MachineOSConfigList describes all configurations for image builds on the system +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSConfigList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []MachineOSConfig `json:"items"` +} + +// MachineOSConfigSpec describes user-configurable options as well as information about a build process. +type MachineOSConfigSpec struct { + // machineConfigPool is the pool which the build is for + // +kubebuilder:validation:Required + MachineConfigPool MachineConfigPoolReference `json:"machineConfigPool"` + // buildInputs is where user input options for the build live + // +kubebuilder:validation:Required + BuildInputs BuildInputs `json:"buildInputs"` + // buildOutputs is where user input options for the build live + // +optional + BuildOutputs BuildOutputs `json:"buildOutputs,omitempty"` +} + +// MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig +type MachineOSConfigStatus struct { + // conditions are state related conditions for the config. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // observedGeneration represents the generation observed by the controller. + // this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + // +kubebuilder:validation:Required + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + // currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" + // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + // +optional + CurrentImagePullspec string `json:"currentImagePullspec,omitempty"` +} + +// BuildInputs holds all of the information needed to trigger a build +type BuildInputs struct { + // baseOSExtensionsImagePullspec is the base Extensions image used in the build process + // the MachineOSConfig object will use the in cluster image registry configuration. + // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // The format of the image pullspec is: + // host[:port][/namespace]/name@sha256: + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" + // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + // +optional + BaseOSExtensionsImagePullspec string `json:"baseOSExtensionsImagePullspec,omitempty"` + // baseOSImagePullspec is the base OSImage we use to build our custom image. + // the MachineOSConfig object will use the in cluster image registry configuration. + // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // The format of the image pullspec is: + // host[:port][/namespace]/name@sha256: + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" + // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + // +optional + BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` + // baseImagePullSecret is the secret used to pull the base image. + // must live in the openshift-machine-config-operator namespace if provided. + // defaults to using the cluster-wide pull secret if not specified. + // +optional + BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` + // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig + // +kubebuilder:validation:Required + ImageBuilder *MachineOSImageBuilder `json:"imageBuilder"` + // renderedImagePushSecret is the secret used to connect to a user registry. + // the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + // that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + // that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + // this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them + // will only need to pull the image in order to use it. + // +kubebuilder:validation:Required + RenderedImagePushSecret ImageSecretObjectReference `json:"renderedImagePushSecret"` + // renderedImagePushspec describes the location of the final image. + // the MachineOSConfig object will use the in cluster image registry configuration. + // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // The format of the image pushspec is: + // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image reference must end with a valid :, where '' is 64 characters long and '' is any valid string Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:Required + RenderedImagePushspec string `json:"renderedImagePushspec"` + // releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + // This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. + // It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. + // This is used as a label in the dockerfile that builds the OS image. + // +optional + ReleaseVersion string `json:"releaseVersion,omitempty"` + // containerFile describes the custom data the user has specified to build into the image. + // this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + // +patchMergeKey=containerfileArch + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerfileArch + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=7 + // +optional + Containerfile []MachineOSContainerfile `json:"containerFile" patchStrategy:"merge" patchMergeKey:"containerfileArch"` +} + +// BuildOutputs holds all information needed to handle booting the image after a build +// +union +type BuildOutputs struct { + // currentImagePullSecret is the secret used to pull the final produced image. + // must live in the openshift-machine-config-operator namespace + // the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + // that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + // that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + // this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + // +optional + CurrentImagePullSecret ImageSecretObjectReference `json:"currentImagePullSecret,omitempty"` +} + +type MachineOSImageBuilder struct { + // imageBuilderType specifies the backend to be used to build the image. + // +kubebuilder:default:=PodImageBuilder + // +kubebuilder:validation:Enum:=PodImageBuilder + // Valid options are: PodImageBuilder + ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` +} + +// MachineOSContainerfile contains all custom content the user wants built into the image +type MachineOSContainerfile struct { + // containerfileArch describes the architecture this containerfile is to be built for + // this arch is optional. If the user does not specify an architecture, it is assumed + // that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + // +kubebuilder:validation:Enum:=arm64;amd64;ppc64le;s390x;aarch64;x86_64;noarch + // +kubebuilder:default:=noarch + // +optional + ContainerfileArch ContainerfileArch `json:"containerfileArch"` + // content is the custom content to be built + // +kubebuilder:validation:Required + Content string `json:"content"` +} + +type ContainerfileArch string + +const ( + // describes the arm64 architecture + Arm64 ContainerfileArch = "arm64" + // describes the amd64 architecture + Amd64 ContainerfileArch = "amd64" + // describes the ppc64le architecture + Ppc ContainerfileArch = "ppc64le" + // describes the s390x architecture + S390 ContainerfileArch = "s390x" + // describes the aarch64 architecture + Aarch64 ContainerfileArch = "aarch64" + // describes the fx86_64 architecture + X86_64 ContainerfileArch = "x86_64" + // describes a containerfile that can be applied to any arch + NoArch ContainerfileArch = "noarch" +) + +// Refers to the name of a MachineConfigPool (e.g., "worker", "infra", etc.): +// the MachineOSBuilder pod validates that the user has provided a valid pool +type MachineConfigPoolReference struct { + // name of the MachineConfigPool object. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:Required + Name string `json:"name"` +} + +// Refers to the name of an image registry push/pull secret needed in the build process. +type ImageSecretObjectReference struct { + // name is the name of the secret used to push or pull this MachineOSConfig object. + // this secret must be in the openshift-machine-config-operator namespace. + // +kubebuilder:validation:Required + Name string `json:"name"` +} + +type MachineOSImageBuilderType string + +const ( + // describes that the machine-os-builder will use a custom pod builder that uses buildah + PodBuilder MachineOSImageBuilderType = "PodImageBuilder" +) diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..fce7d4164dc --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -0,0 +1,288 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine os build + properties: + configGeneration: + description: configGeneration tracks which version of MachineOSConfig + this build is based off of + format: int64 + minimum: 1 + type: integer + desiredConfig: + description: desiredConfig is the desired config we want to build + an image for. + properties: + name: + description: name is the name of the rendered MachineConfig object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + machineOSConfig: + description: machineOSConfig is the config object which the build + is based off of + properties: + name: + description: name of the MachineOSConfig + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec is set from the MachineOSConfig + The format of the image pullspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, where + '' is 64 characters long and '' is any valid string Or + it must be a valid .svc followed by a port, repository, image + name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + version: + description: version tracks the newest MachineOSBuild for each MachineOSConfig + format: int64 + minimum: 1 + type: integer + required: + - configGeneration + - desiredConfig + - machineOSConfig + - renderedImagePushspec + - version + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the lst observed state of this machine os + build + properties: + buildEnd: + description: buildEnd describes when the build ended. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart describes when the build started. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builderReference: + description: ImageBuilderType describes the image builder set in the + MachineOSConfig + properties: + buildPod: + description: relatedObjects is a list of objects that are related + to the build process. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + imageBuilderType: + description: ImageBuilderType describes the image builder set + in the MachineOSConfig + type: string + type: object + x-kubernetes-validations: + - message: buildPod is required when imageBuilderType is PodImageBuilder, + and forbidden otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' + ? true : !has(self.buildPod)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded + once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + finalImagePullspec: + description: finalImagePushSpec describes the fully qualified pushspec + produced by this build that the final image can be. Must be in sha + format. + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + relatedObjects: + description: relatedObjects is a list of objects that are related + to the build process. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + type: array + required: + - buildStart + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..ebf17972db9 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,288 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine os build + properties: + configGeneration: + description: configGeneration tracks which version of MachineOSConfig + this build is based off of + format: int64 + minimum: 1 + type: integer + desiredConfig: + description: desiredConfig is the desired config we want to build + an image for. + properties: + name: + description: name is the name of the rendered MachineConfig object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + machineOSConfig: + description: machineOSConfig is the config object which the build + is based off of + properties: + name: + description: name of the MachineOSConfig + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec is set from the MachineOSConfig + The format of the image pullspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, where + '' is 64 characters long and '' is any valid string Or + it must be a valid .svc followed by a port, repository, image + name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + version: + description: version tracks the newest MachineOSBuild for each MachineOSConfig + format: int64 + minimum: 1 + type: integer + required: + - configGeneration + - desiredConfig + - machineOSConfig + - renderedImagePushspec + - version + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the lst observed state of this machine os + build + properties: + buildEnd: + description: buildEnd describes when the build ended. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart describes when the build started. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builderReference: + description: ImageBuilderType describes the image builder set in the + MachineOSConfig + properties: + buildPod: + description: relatedObjects is a list of objects that are related + to the build process. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + imageBuilderType: + description: ImageBuilderType describes the image builder set + in the MachineOSConfig + type: string + type: object + x-kubernetes-validations: + - message: buildPod is required when imageBuilderType is PodImageBuilder, + and forbidden otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' + ? true : !has(self.buildPod)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded + once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + finalImagePullspec: + description: finalImagePushSpec describes the fully qualified pushspec + produced by this build that the final image can be. Must be in sha + format. + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + relatedObjects: + description: relatedObjects is a list of objects that are related + to the build process. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + type: array + required: + - buildStart + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..083a341e806 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,288 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine os build + properties: + configGeneration: + description: configGeneration tracks which version of MachineOSConfig + this build is based off of + format: int64 + minimum: 1 + type: integer + desiredConfig: + description: desiredConfig is the desired config we want to build + an image for. + properties: + name: + description: name is the name of the rendered MachineConfig object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + machineOSConfig: + description: machineOSConfig is the config object which the build + is based off of + properties: + name: + description: name of the MachineOSConfig + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec is set from the MachineOSConfig + The format of the image pullspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, where + '' is 64 characters long and '' is any valid string Or + it must be a valid .svc followed by a port, repository, image + name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + version: + description: version tracks the newest MachineOSBuild for each MachineOSConfig + format: int64 + minimum: 1 + type: integer + required: + - configGeneration + - desiredConfig + - machineOSConfig + - renderedImagePushspec + - version + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the lst observed state of this machine os + build + properties: + buildEnd: + description: buildEnd describes when the build ended. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart describes when the build started. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builderReference: + description: ImageBuilderType describes the image builder set in the + MachineOSConfig + properties: + buildPod: + description: relatedObjects is a list of objects that are related + to the build process. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + imageBuilderType: + description: ImageBuilderType describes the image builder set + in the MachineOSConfig + type: string + type: object + x-kubernetes-validations: + - message: buildPod is required when imageBuilderType is PodImageBuilder, + and forbidden otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' + ? true : !has(self.buildPod)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded + once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + finalImagePullspec: + description: finalImagePushSpec describes the fully qualified pushspec + produced by this build that the final image can be. Must be in sha + format. + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + relatedObjects: + description: relatedObjects is a list of objects that are related + to the build process. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + type: array + required: + - buildStart + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..3e9e21c67ba --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + buildInputs: + description: buildInputs is where user input options for the build + live + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + baseOSExtensionsImagePullspec: + description: |- + baseOSExtensionsImagePullspec is the base Extensions image used in the build process + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + baseOSImagePullspec: + description: |- + baseOSImagePullspec is the base OSImage we use to build our custom image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: noarch + description: |- + containerfileArch describes the architecture this containerfile is to be built for + this arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - arm64 + - amd64 + - ppc64le + - s390x + - aarch64 + - x86_64 + - noarch + type: string + content: + description: content is the custom content to be built + type: string + required: + - content + type: object + maxItems: 7 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: machineOSImageBuilder describes which image builder + will be used in each build triggered by this MachineOSConfig + properties: + imageBuilderType: + default: PodImageBuilder + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: PodImageBuilder + enum: + - PodImageBuilder + type: string + type: object + releaseVersion: + description: |- + releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. + It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. + This is used as a label in the dockerfile that builds the OS image. + type: string + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them + will only need to pull the image in order to use it. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec describes the location of the final image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pushspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, + where '' is 64 characters long and '' is any + valid string Or it must be a valid .svc followed by a port, + repository, image name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + required: + - imageBuilder + - renderedImagePushSecret + - renderedImagePushspec + type: object + buildOutputs: + description: buildOutputs is where user input options for the build + live + properties: + currentImagePullSecret: + description: |- + currentImagePullSecret is the secret used to pull the final produced image. + must live in the openshift-machine-config-operator namespace + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + type: object + machineConfigPool: + description: machineConfigPool is the pool which the build is for + properties: + name: + description: name of the MachineConfigPool object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + required: + - buildInputs + - machineConfigPool + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the config. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullspec: + description: currentImagePullspec is the fully qualified image pull + spec used by the MCO to pull down the new OSImage. This must include + sha256. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + observedGeneration: + description: |- + observedGeneration represents the generation observed by the controller. + this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + format: int64 + type: integer + required: + - observedGeneration + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..d1392e75a70 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + buildInputs: + description: buildInputs is where user input options for the build + live + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + baseOSExtensionsImagePullspec: + description: |- + baseOSExtensionsImagePullspec is the base Extensions image used in the build process + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + baseOSImagePullspec: + description: |- + baseOSImagePullspec is the base OSImage we use to build our custom image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: noarch + description: |- + containerfileArch describes the architecture this containerfile is to be built for + this arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - arm64 + - amd64 + - ppc64le + - s390x + - aarch64 + - x86_64 + - noarch + type: string + content: + description: content is the custom content to be built + type: string + required: + - content + type: object + maxItems: 7 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: machineOSImageBuilder describes which image builder + will be used in each build triggered by this MachineOSConfig + properties: + imageBuilderType: + default: PodImageBuilder + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: PodImageBuilder + enum: + - PodImageBuilder + type: string + type: object + releaseVersion: + description: |- + releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. + It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. + This is used as a label in the dockerfile that builds the OS image. + type: string + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them + will only need to pull the image in order to use it. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec describes the location of the final image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pushspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, + where '' is 64 characters long and '' is any + valid string Or it must be a valid .svc followed by a port, + repository, image name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + required: + - imageBuilder + - renderedImagePushSecret + - renderedImagePushspec + type: object + buildOutputs: + description: buildOutputs is where user input options for the build + live + properties: + currentImagePullSecret: + description: |- + currentImagePullSecret is the secret used to pull the final produced image. + must live in the openshift-machine-config-operator namespace + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + type: object + machineConfigPool: + description: machineConfigPool is the pool which the build is for + properties: + name: + description: name of the MachineConfigPool object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + required: + - buildInputs + - machineConfigPool + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the config. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullspec: + description: currentImagePullspec is the fully qualified image pull + spec used by the MCO to pull down the new OSImage. This must include + sha256. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + observedGeneration: + description: |- + observedGeneration represents the generation observed by the controller. + this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + format: int64 + type: integer + required: + - observedGeneration + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..7e9ca857a52 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + buildInputs: + description: buildInputs is where user input options for the build + live + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + baseOSExtensionsImagePullspec: + description: |- + baseOSExtensionsImagePullspec is the base Extensions image used in the build process + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + baseOSImagePullspec: + description: |- + baseOSImagePullspec is the base OSImage we use to build our custom image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: noarch + description: |- + containerfileArch describes the architecture this containerfile is to be built for + this arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - arm64 + - amd64 + - ppc64le + - s390x + - aarch64 + - x86_64 + - noarch + type: string + content: + description: content is the custom content to be built + type: string + required: + - content + type: object + maxItems: 7 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: machineOSImageBuilder describes which image builder + will be used in each build triggered by this MachineOSConfig + properties: + imageBuilderType: + default: PodImageBuilder + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: PodImageBuilder + enum: + - PodImageBuilder + type: string + type: object + releaseVersion: + description: |- + releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. + It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. + This is used as a label in the dockerfile that builds the OS image. + type: string + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them + will only need to pull the image in order to use it. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec describes the location of the final image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pushspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, + where '' is 64 characters long and '' is any + valid string Or it must be a valid .svc followed by a port, + repository, image name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + required: + - imageBuilder + - renderedImagePushSecret + - renderedImagePushspec + type: object + buildOutputs: + description: buildOutputs is where user input options for the build + live + properties: + currentImagePullSecret: + description: |- + currentImagePullSecret is the secret used to pull the final produced image. + must live in the openshift-machine-config-operator namespace + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + type: object + machineConfigPool: + description: machineConfigPool is the pool which the build is for + properties: + name: + description: name of the MachineConfigPool object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + required: + - buildInputs + - machineConfigPool + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the config. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullspec: + description: currentImagePullspec is the fully qualified image pull + spec used by the MCO to pull down the new OSImage. This must include + sha256. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + observedGeneration: + description: |- + observedGeneration represents the generation observed by the controller. + this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + format: int64 + type: integer + required: + - observedGeneration + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index 9ad13130fe3..429586a4211 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -13,6 +13,51 @@ import ( intstr "k8s.io/apimachinery/pkg/util/intstr" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BuildInputs) DeepCopyInto(out *BuildInputs) { + *out = *in + out.BaseImagePullSecret = in.BaseImagePullSecret + if in.ImageBuilder != nil { + in, out := &in.ImageBuilder, &out.ImageBuilder + *out = new(MachineOSImageBuilder) + **out = **in + } + out.RenderedImagePushSecret = in.RenderedImagePushSecret + if in.Containerfile != nil { + in, out := &in.Containerfile, &out.Containerfile + *out = make([]MachineOSContainerfile, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildInputs. +func (in *BuildInputs) DeepCopy() *BuildInputs { + if in == nil { + return nil + } + out := new(BuildInputs) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BuildOutputs) DeepCopyInto(out *BuildOutputs) { + *out = *in + out.CurrentImagePullSecret = in.CurrentImagePullSecret + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildOutputs. +func (in *BuildOutputs) DeepCopy() *BuildOutputs { + if in == nil { + return nil + } + out := new(BuildOutputs) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertExpiry) DeepCopyInto(out *CertExpiry) { *out = *in @@ -431,6 +476,22 @@ func (in *ImageRegistryBundle) DeepCopy() *ImageRegistryBundle { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSecretObjectReference) DeepCopyInto(out *ImageSecretObjectReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSecretObjectReference. +func (in *ImageSecretObjectReference) DeepCopy() *ImageSecretObjectReference { + if in == nil { + return nil + } + out := new(ImageSecretObjectReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeletConfig) DeepCopyInto(out *KubeletConfig) { *out = *in @@ -711,6 +772,22 @@ func (in *MachineConfigPoolList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigPoolReference) DeepCopyInto(out *MachineConfigPoolReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigPoolReference. +func (in *MachineConfigPoolReference) DeepCopy() *MachineConfigPoolReference { + if in == nil { + return nil + } + out := new(MachineConfigPoolReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigPoolSpec) DeepCopyInto(out *MachineConfigPoolSpec) { *out = *in @@ -833,6 +910,298 @@ func (in *MachineConfigSpec) DeepCopy() *MachineConfigSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuild) DeepCopyInto(out *MachineOSBuild) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuild. +func (in *MachineOSBuild) DeepCopy() *MachineOSBuild { + if in == nil { + return nil + } + out := new(MachineOSBuild) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSBuild) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildList) DeepCopyInto(out *MachineOSBuildList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]MachineOSBuild, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildList. +func (in *MachineOSBuildList) DeepCopy() *MachineOSBuildList { + if in == nil { + return nil + } + out := new(MachineOSBuildList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSBuildList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildSpec) DeepCopyInto(out *MachineOSBuildSpec) { + *out = *in + out.DesiredConfig = in.DesiredConfig + out.MachineOSConfig = in.MachineOSConfig + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildSpec. +func (in *MachineOSBuildSpec) DeepCopy() *MachineOSBuildSpec { + if in == nil { + return nil + } + out := new(MachineOSBuildSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildStatus) DeepCopyInto(out *MachineOSBuildStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.BuilderReference != nil { + in, out := &in.BuilderReference, &out.BuilderReference + *out = new(MachineOSBuilderReference) + (*in).DeepCopyInto(*out) + } + if in.RelatedObjects != nil { + in, out := &in.RelatedObjects, &out.RelatedObjects + *out = make([]ObjectReference, len(*in)) + copy(*out, *in) + } + if in.BuildStart != nil { + in, out := &in.BuildStart, &out.BuildStart + *out = (*in).DeepCopy() + } + if in.BuildEnd != nil { + in, out := &in.BuildEnd, &out.BuildEnd + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildStatus. +func (in *MachineOSBuildStatus) DeepCopy() *MachineOSBuildStatus { + if in == nil { + return nil + } + out := new(MachineOSBuildStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuilderReference) DeepCopyInto(out *MachineOSBuilderReference) { + *out = *in + if in.PodImageBuilder != nil { + in, out := &in.PodImageBuilder, &out.PodImageBuilder + *out = new(ObjectReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuilderReference. +func (in *MachineOSBuilderReference) DeepCopy() *MachineOSBuilderReference { + if in == nil { + return nil + } + out := new(MachineOSBuilderReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfig) DeepCopyInto(out *MachineOSConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfig. +func (in *MachineOSConfig) DeepCopy() *MachineOSConfig { + if in == nil { + return nil + } + out := new(MachineOSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigList) DeepCopyInto(out *MachineOSConfigList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]MachineOSConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigList. +func (in *MachineOSConfigList) DeepCopy() *MachineOSConfigList { + if in == nil { + return nil + } + out := new(MachineOSConfigList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSConfigList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigReference) DeepCopyInto(out *MachineOSConfigReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigReference. +func (in *MachineOSConfigReference) DeepCopy() *MachineOSConfigReference { + if in == nil { + return nil + } + out := new(MachineOSConfigReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigSpec) DeepCopyInto(out *MachineOSConfigSpec) { + *out = *in + out.MachineConfigPool = in.MachineConfigPool + in.BuildInputs.DeepCopyInto(&out.BuildInputs) + out.BuildOutputs = in.BuildOutputs + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigSpec. +func (in *MachineOSConfigSpec) DeepCopy() *MachineOSConfigSpec { + if in == nil { + return nil + } + out := new(MachineOSConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigStatus) DeepCopyInto(out *MachineOSConfigStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigStatus. +func (in *MachineOSConfigStatus) DeepCopy() *MachineOSConfigStatus { + if in == nil { + return nil + } + out := new(MachineOSConfigStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSContainerfile) DeepCopyInto(out *MachineOSContainerfile) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSContainerfile. +func (in *MachineOSContainerfile) DeepCopy() *MachineOSContainerfile { + if in == nil { + return nil + } + out := new(MachineOSContainerfile) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSImageBuilder) DeepCopyInto(out *MachineOSImageBuilder) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSImageBuilder. +func (in *MachineOSImageBuilder) DeepCopy() *MachineOSImageBuilder { + if in == nil { + return nil + } + out := new(MachineOSImageBuilder) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkInfo) DeepCopyInto(out *NetworkInfo) { *out = *in @@ -854,6 +1223,22 @@ func (in *NetworkInfo) DeepCopy() *NetworkInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference. +func (in *ObjectReference) DeepCopy() *ObjectReference { + if in == nil { + return nil + } + out := new(ObjectReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PinnedImageSetRef) DeepCopyInto(out *PinnedImageSetRef) { *out = *in @@ -885,3 +1270,19 @@ func (in *PoolSynchronizerStatus) DeepCopy() *PoolSynchronizerStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RenderedMachineConfigReference) DeepCopyInto(out *RenderedMachineConfigReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RenderedMachineConfigReference. +func (in *RenderedMachineConfigReference) DeepCopy() *RenderedMachineConfigReference { + if in == nil { + return nil + } + out := new(RenderedMachineConfigReference) + in.DeepCopyInto(out) + return out +} diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 0766b10691c..ada0d934ab2 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -169,3 +169,66 @@ machineconfigpools.machineconfiguration.openshift.io: TopLevelFeatureGates: [] Version: v1 +machineosbuilds.machineconfiguration.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/1773 + CRDName: machineosbuilds.machineconfiguration.openshift.io + Capability: "" + Category: "" + FeatureGates: + - OnClusterBuild + FilenameOperatorName: machine-config + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_80" + GroupName: machineconfiguration.openshift.io + HasStatus: true + KindName: MachineOSBuild + Labels: + openshift.io/operator-managed: "" + PluralName: machineosbuilds + PrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - OnClusterBuild + Version: v1 + +machineosconfigs.machineconfiguration.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/1773 + CRDName: machineosconfigs.machineconfiguration.openshift.io + Capability: "" + Category: "" + FeatureGates: + - OnClusterBuild + FilenameOperatorName: machine-config + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_80" + GroupName: machineconfiguration.openshift.io + HasStatus: true + KindName: MachineOSConfig + Labels: + openshift.io/operator-managed: "" + PluralName: machineosconfigs + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - OnClusterBuild + Version: v1 + diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..eefbc505f74 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,288 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/filename-cvo-runlevel: "0000_80" + api.openshift.io/filename-operator: machine-config + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/OnClusterBuild: "true" + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine os build + properties: + configGeneration: + description: configGeneration tracks which version of MachineOSConfig + this build is based off of + format: int64 + minimum: 1 + type: integer + desiredConfig: + description: desiredConfig is the desired config we want to build + an image for. + properties: + name: + description: name is the name of the rendered MachineConfig object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + machineOSConfig: + description: machineOSConfig is the config object which the build + is based off of + properties: + name: + description: name of the MachineOSConfig + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec is set from the MachineOSConfig + The format of the image pullspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, where + '' is 64 characters long and '' is any valid string Or + it must be a valid .svc followed by a port, repository, image + name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + version: + description: version tracks the newest MachineOSBuild for each MachineOSConfig + format: int64 + minimum: 1 + type: integer + required: + - configGeneration + - desiredConfig + - machineOSConfig + - renderedImagePushspec + - version + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the lst observed state of this machine os + build + properties: + buildEnd: + description: buildEnd describes when the build ended. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart describes when the build started. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builderReference: + description: ImageBuilderType describes the image builder set in the + MachineOSConfig + properties: + buildPod: + description: relatedObjects is a list of objects that are related + to the build process. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + imageBuilderType: + description: ImageBuilderType describes the image builder set + in the MachineOSConfig + type: string + type: object + x-kubernetes-validations: + - message: buildPod is required when imageBuilderType is PodImageBuilder, + and forbidden otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' + ? true : !has(self.buildPod)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded + once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + finalImagePullspec: + description: finalImagePushSpec describes the fully qualified pushspec + produced by this build that the final image can be. Must be in sha + format. + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + relatedObjects: + description: relatedObjects is a list of objects that are related + to the build process. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: group of the referent. + type: string + name: + description: name of the referent. + type: string + namespace: + description: namespace of the referent. + type: string + resource: + description: resource of the referent. + type: string + required: + - group + - name + - resource + type: object + type: array + required: + - buildStart + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..5e6043342d2 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api.openshift.io/filename-cvo-runlevel: "0000_80" + api.openshift.io/filename-operator: machine-config + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/OnClusterBuild: "true" + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + buildInputs: + description: buildInputs is where user input options for the build + live + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + must live in the openshift-machine-config-operator namespace if provided. + defaults to using the cluster-wide pull secret if not specified. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + baseOSExtensionsImagePullspec: + description: |- + baseOSExtensionsImagePullspec is the base Extensions image used in the build process + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + baseOSImagePullspec: + description: |- + baseOSImagePullspec is the base OSImage we use to build our custom image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: noarch + description: |- + containerfileArch describes the architecture this containerfile is to be built for + this arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - arm64 + - amd64 + - ppc64le + - s390x + - aarch64 + - x86_64 + - noarch + type: string + content: + description: content is the custom content to be built + type: string + required: + - content + type: object + maxItems: 7 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: machineOSImageBuilder describes which image builder + will be used in each build triggered by this MachineOSConfig + properties: + imageBuilderType: + default: PodImageBuilder + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: PodImageBuilder + enum: + - PodImageBuilder + type: string + type: object + releaseVersion: + description: |- + releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. + It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. + This is used as a label in the dockerfile that builds the OS image. + type: string + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them + will only need to pull the image in order to use it. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + renderedImagePushspec: + description: |- + renderedImagePushspec describes the location of the final image. + the MachineOSConfig object will use the in cluster image registry configuration. + if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The format of the image pushspec is: + host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid :, + where '' is 64 characters long and '' is any + valid string Or it must be a valid .svc followed by a port, + repository, image name, and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + required: + - imageBuilder + - renderedImagePushSecret + - renderedImagePushspec + type: object + buildOutputs: + description: buildOutputs is where user input options for the build + live + properties: + currentImagePullSecret: + description: |- + currentImagePullSecret is the secret used to pull the final produced image. + must live in the openshift-machine-config-operator namespace + the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, + that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, + that only gives someone to pull images from the image repository. It's basically the principle of least permissions. + this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + this secret must be in the openshift-machine-config-operator namespace. + type: string + required: + - name + type: object + type: object + machineConfigPool: + description: machineConfigPool is the pool which the build is for + properties: + name: + description: name of the MachineConfigPool object. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + required: + - name + type: object + required: + - buildInputs + - machineConfigPool + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the config. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullspec: + description: currentImagePullspec is the fully qualified image pull + spec used by the MCO to pull down the new OSImage. This must include + sha256. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + observedGeneration: + description: |- + observedGeneration represents the generation observed by the controller. + this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + format: int64 + type: integer + required: + - observedGeneration + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 29a3a2a902b..32b2ad57f2c 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -359,4 +359,190 @@ func (PoolSynchronizerStatus) SwaggerDoc() map[string]string { return map_PoolSynchronizerStatus } +var map_MachineOSBuild = map[string]string{ + "": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "spec": "spec describes the configuration of the machine os build", + "status": "status describes the lst observed state of this machine os build", +} + +func (MachineOSBuild) SwaggerDoc() map[string]string { + return map_MachineOSBuild +} + +var map_MachineOSBuildList = map[string]string{ + "": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", +} + +func (MachineOSBuildList) SwaggerDoc() map[string]string { + return map_MachineOSBuildList +} + +var map_MachineOSBuildSpec = map[string]string{ + "": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", + "configGeneration": "configGeneration tracks which version of MachineOSConfig this build is based off of", + "desiredConfig": "desiredConfig is the desired config we want to build an image for.", + "machineOSConfig": "machineOSConfig is the config object which the build is based off of", + "version": "version tracks the newest MachineOSBuild for each MachineOSConfig", + "renderedImagePushspec": "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", +} + +func (MachineOSBuildSpec) SwaggerDoc() map[string]string { + return map_MachineOSBuildSpec +} + +var map_MachineOSBuildStatus = map[string]string{ + "": "MachineOSBuildStatus describes the state of a build and other helpful information.", + "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", + "builderReference": "ImageBuilderType describes the image builder set in the MachineOSConfig", + "relatedObjects": "relatedObjects is a list of objects that are related to the build process.", + "buildStart": "buildStart describes when the build started.", + "buildEnd": "buildEnd describes when the build ended.", + "finalImagePullspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", +} + +func (MachineOSBuildStatus) SwaggerDoc() map[string]string { + return map_MachineOSBuildStatus +} + +var map_MachineOSBuilderReference = map[string]string{ + "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", + "imageBuilderType": "ImageBuilderType describes the image builder set in the MachineOSConfig", + "buildPod": "relatedObjects is a list of objects that are related to the build process.", +} + +func (MachineOSBuilderReference) SwaggerDoc() map[string]string { + return map_MachineOSBuilderReference +} + +var map_MachineOSConfigReference = map[string]string{ + "": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", + "name": "name of the MachineOSConfig", +} + +func (MachineOSConfigReference) SwaggerDoc() map[string]string { + return map_MachineOSConfigReference +} + +var map_ObjectReference = map[string]string{ + "": "ObjectReference contains enough information to let you inspect or modify the referred object.", + "group": "group of the referent.", + "resource": "resource of the referent.", + "namespace": "namespace of the referent.", + "name": "name of the referent.", +} + +func (ObjectReference) SwaggerDoc() map[string]string { + return map_ObjectReference +} + +var map_RenderedMachineConfigReference = map[string]string{ + "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", + "name": "name is the name of the rendered MachineConfig object.", +} + +func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { + return map_RenderedMachineConfigReference +} + +var map_BuildInputs = map[string]string{ + "": "BuildInputs holds all of the information needed to trigger a build", + "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", + "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", + "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", + "renderedImagePushspec": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "releaseVersion": "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", + "containerFile": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", +} + +func (BuildInputs) SwaggerDoc() map[string]string { + return map_BuildInputs +} + +var map_BuildOutputs = map[string]string{ + "": "BuildOutputs holds all information needed to handle booting the image after a build", + "currentImagePullSecret": "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", +} + +func (BuildOutputs) SwaggerDoc() map[string]string { + return map_BuildOutputs +} + +var map_ImageSecretObjectReference = map[string]string{ + "": "Refers to the name of an image registry push/pull secret needed in the build process.", + "name": "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", +} + +func (ImageSecretObjectReference) SwaggerDoc() map[string]string { + return map_ImageSecretObjectReference +} + +var map_MachineConfigPoolReference = map[string]string{ + "": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", + "name": "name of the MachineConfigPool object.", +} + +func (MachineConfigPoolReference) SwaggerDoc() map[string]string { + return map_MachineConfigPoolReference +} + +var map_MachineOSConfig = map[string]string{ + "": "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "spec": "spec describes the configuration of the machineosconfig", + "status": "status describes the status of the machineosconfig", +} + +func (MachineOSConfig) SwaggerDoc() map[string]string { + return map_MachineOSConfig +} + +var map_MachineOSConfigList = map[string]string{ + "": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", +} + +func (MachineOSConfigList) SwaggerDoc() map[string]string { + return map_MachineOSConfigList +} + +var map_MachineOSConfigSpec = map[string]string{ + "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", + "machineConfigPool": "machineConfigPool is the pool which the build is for", + "buildInputs": "buildInputs is where user input options for the build live", + "buildOutputs": "buildOutputs is where user input options for the build live", +} + +func (MachineOSConfigSpec) SwaggerDoc() map[string]string { + return map_MachineOSConfigSpec +} + +var map_MachineOSConfigStatus = map[string]string{ + "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", + "conditions": "conditions are state related conditions for the config.", + "observedGeneration": "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", + "currentImagePullspec": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", +} + +func (MachineOSConfigStatus) SwaggerDoc() map[string]string { + return map_MachineOSConfigStatus +} + +var map_MachineOSContainerfile = map[string]string{ + "": "MachineOSContainerfile contains all custom content the user wants built into the image", + "containerfileArch": "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", + "content": "content is the custom content to be built", +} + +func (MachineOSContainerfile) SwaggerDoc() map[string]string { + return map_MachineOSContainerfile +} + +var map_MachineOSImageBuilder = map[string]string{ + "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", +} + +func (MachineOSImageBuilder) SwaggerDoc() map[string]string { + return map_MachineOSImageBuilder +} + // AUTO-GENERATED FUNCTIONS END HERE From 8b77960a1a5861d0ad731892b873e2df61babeaf Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Wed, 13 Nov 2024 16:51:52 -0500 Subject: [PATCH 3/7] Temporarily exclude v1 MOSC/MOSB from payload --- hack/update-payload-crds.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh index 10cff221c78..975fb612721 100755 --- a/hack/update-payload-crds.sh +++ b/hack/update-payload-crds.sh @@ -21,7 +21,11 @@ crd_globs="\ operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers*.crd.yaml config/v1/zz_generated.crd-manifests/0000_10_openshift-controller-manager_01_builds*.crd.yaml operator/v1/zz_generated.crd-manifests/0000_50_openshift-controller-manager_02_openshiftcontrollermanagers*.crd.yaml - machineconfiguration/v1/zz_generated.crd-manifests/*.crd.yaml + machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs*.crd.yaml + machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs*.crd.yaml + machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs*.crd.yaml + machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools*.crd.yaml + machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigs*.crd.yaml machineconfiguration/v1alpha1/zz_generated.crd-manifests/*.crd.yaml operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations*.crd.yaml config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies*.crd.yaml From c6619bf1da6e32c479cbf984d5a3d694b2e5dca1 Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Tue, 12 Nov 2024 23:20:27 -0500 Subject: [PATCH 4/7] Update godoc and validation for MOSC/MOSB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mostly fixups, with some minor changes to the v1alpha1 API: - Removed Version and ConfigGeneration from MOSB as they were unused - Updated relatedobjects list - Changed all optional,omitempty structs to pointers - Removed default for ImageBuilderType, but keeping default build arch to noarch as we don’t foresee changing that. - Fixed RenderedImagePushspec validators to match description --- .../OnClusterBuild.yaml | 40 +--------- .../OnClusterBuild.yaml | 58 ++++++++++++-- .../v1/types_machineosbuild.go | 47 ++++++----- .../v1/types_machineosconfig.go | 33 +++++--- ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 80 ++++++++++++------- ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 80 ++++++++++++------- ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 80 ++++++++++++------- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 48 ++++++----- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 48 ++++++----- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 48 ++++++----- .../v1/zz_generated.deepcopy.go | 23 ++++-- .../OnClusterBuild.yaml | 80 ++++++++++++------- .../OnClusterBuild.yaml | 48 ++++++----- .../v1/zz_generated.swagger_doc_generated.go | 28 +++---- 14 files changed, 446 insertions(+), 295 deletions(-) diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index f8668870b4f..4e226b57e70 100644 --- a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -1,64 +1,30 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "[TechPreview] MachineOSBuild" +name: "MachineOSBuild" crdName: machineosbuilds.machineconfiguration.openshift.io featureGate: OnClusterBuild tests: onCreate: - name: Should be able to create a minimal MachineOSBuild initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSBuild metadata: name: foobar spec: - configGeneration: 1 desiredConfig: name: rendered-worker-abcd - version: 1 machineOSConfig: name: worker renderedImagePushspec: quay.io/cdoern/mco:latest expected: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSBuild metadata: name: foobar spec: - configGeneration: 1 desiredConfig: name: rendered-worker-abcd - version: 1 machineOSConfig: name: worker renderedImagePushspec: quay.io/cdoern/mco:latest - - name: fail on invalid version - initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 - kind: MachineOSBuild - metadata: - name: foobar - spec: - configGeneration: 1 - desiredConfig: - name: rendered-worker-abcd - version: 0 - machineOSConfig: - name: worker - renderedImagePushspec: quay.io/cdoern/mco:latest - expectedError: "Invalid value: 0: spec.version in body should be greater than or equal to 1" - - name: fail on invalid configGeneration - initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 - kind: MachineOSBuild - metadata: - name: foobar - spec: - configGeneration: 0 - desiredConfig: - name: rendered-worker-abcd - version: 1 - machineOSConfig: - name: worker - renderedImagePushspec: quay.io/cdoern/mco:latest - expectedError: "Invalid value: 0: spec.configGeneration in body should be greater than or equal to 1" diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 30484df888a..c59e1c201b9 100644 --- a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -1,12 +1,12 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "[TechPreview] MachineOSConfig" +name: "MachineOSConfig" crdName: machineosconfigs.machineconfiguration.openshift.io featureGate: OnClusterBuild tests: onCreate: - name: Should be able to create a minimal MachineOSConfig initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar @@ -27,7 +27,7 @@ tests: currentImagePullSecret: name: foo expected: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar @@ -47,9 +47,53 @@ tests: buildOutputs: currentImagePullSecret: name: foo + onCreate: + - name: Should be able to create a MachineOSConfig with a renderedImagePushspec that contains a port + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: registry.test.example.local:5000/test/custom-os-image:v0.1 + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: PodImageBuilder + baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushspec: registry.test.example.local:5000/test/custom-os-image:v0.1 + buildOutputs: + currentImagePullSecret: + name: foo - name: Fail on invalid rendered image pushspec initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar @@ -72,7 +116,7 @@ tests: expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - name: Fail on invalid base image pullspec initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar @@ -95,7 +139,7 @@ tests: expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - name: Allows for an empty pull secret initial: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar @@ -114,7 +158,7 @@ tests: currentImagePullSecret: name: foo expected: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 + apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig metadata: name: foobar diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go index bbd98adc77c..184a168ad59 100644 --- a/machineconfiguration/v1/types_machineosbuild.go +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -52,27 +52,18 @@ type MachineOSBuildList struct { // MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object. type MachineOSBuildSpec struct { - // configGeneration tracks which version of MachineOSConfig this build is based off of - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Required - ConfigGeneration int64 `json:"configGeneration"` // desiredConfig is the desired config we want to build an image for. // +kubebuilder:validation:Required DesiredConfig RenderedMachineConfigReference `json:"desiredConfig"` // machineOSConfig is the config object which the build is based off of // +kubebuilder:validation:Required MachineOSConfig MachineOSConfigReference `json:"machineOSConfig"` - // version tracks the newest MachineOSBuild for each MachineOSConfig - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Required - Version int64 `json:"version"` // renderedImagePushspec is set from the MachineOSConfig // The format of the image pullspec is: // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image reference must end with a valid :, where '' is 64 characters long and '' is any valid string Or it must be a valid .svc followed by a port, repository, image name, and tag." - // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +kubebuilder:validation:Required RenderedImagePushspec string `json:"renderedImagePushspec"` } @@ -88,35 +79,40 @@ type MachineOSBuildStatus struct { // +listMapKey=type // +optional Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` - // ImageBuilderType describes the image builder set in the MachineOSConfig + // BuilderReference describes which ImageBuilder backend to use for this build // +optional BuilderReference *MachineOSBuilderReference `json:"builderReference"` // relatedObjects is a list of objects that are related to the build process. + // +kubebuilder:validation:MaxItems=10 + // +listType=map + // +listMapKey=name + // +listMapKey=resource RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"` // buildStart describes when the build started. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildStart is immutable once set" // +kubebuilder:validation:Required - BuildStart *metav1.Time `json:"buildStart"` + BuildStart metav1.Time `json:"buildStart"` // buildEnd describes when the build ended. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" - //+optional + // +optional BuildEnd *metav1.Time `json:"buildEnd,omitempty"` - // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format. - // +kubebuilder:validation:XValidation:rule=`((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" + // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long + // +kubebuilder:validation:XValidation:rule=`((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long" // +optional FinalImagePushspec string `json:"finalImagePullspec,omitempty"` } -// MachineOSBuilderReference describes which ImageBuilder backend to use for this build/ +// MachineOSBuilderReference describes which ImageBuilder backend to use for this build // +union -// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'PodImageBuilder' ? true : !has(self.buildPod)",message="buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'PodImageBuilder' ? has(self.buildPod) : !has(self.buildPod)",message="buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise" type MachineOSBuilderReference struct { // ImageBuilderType describes the image builder set in the MachineOSConfig // +unionDiscriminator ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` // relatedObjects is a list of objects that are related to the build process. - // +unionMember,optional + // +unionMember + // +optional PodImageBuilder *ObjectReference `json:"buildPod,omitempty"` } @@ -150,16 +146,28 @@ type RenderedMachineConfigReference struct { // ObjectReference contains enough information to let you inspect or modify the referred object. type ObjectReference struct { // group of the referent. + // This value should consist of only lowercase alphanumeric characters, hyphens and periods. + // Example: "", "apps", "build.openshift.io", etc. + // +kubebuilder:validation:Pattern:="^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" // +kubebuilder:validation:Required Group string `json:"group"` // resource of the referent. + // This value should consist of only lowercase alphanumeric characters and hyphens. + // Example: "deployments", "deploymentconfigs", "pods", etc. // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" Resource string `json:"resource"` // namespace of the referent. + // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 // +optional Namespace string `json:"namespace,omitempty"` // name of the referent. // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 Name string `json:"name"` } @@ -167,5 +175,8 @@ type ObjectReference struct { type MachineOSConfigReference struct { // name of the MachineOSConfig // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 Name string `json:"name"` } diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go index 907d6836ff3..7842e9344c0 100644 --- a/machineconfiguration/v1/types_machineosconfig.go +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -28,7 +28,7 @@ type MachineOSConfig struct { // status describes the status of the machineosconfig // +optional - Status MachineOSConfigStatus `json:"status,omitempty"` + Status *MachineOSConfigStatus `json:"status,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -52,9 +52,9 @@ type MachineOSConfigSpec struct { // buildInputs is where user input options for the build live // +kubebuilder:validation:Required BuildInputs BuildInputs `json:"buildInputs"` - // buildOutputs is where user input options for the build live + // buildOutputs holds all information needed to handle booting the image after a build // +optional - BuildOutputs BuildOutputs `json:"buildOutputs,omitempty"` + BuildOutputs *BuildOutputs `json:"buildOutputs,omitempty"` } // MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig @@ -66,11 +66,13 @@ type MachineOSConfigStatus struct { // +listMapKey=type // +optional Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` - // observedGeneration represents the generation observed by the controller. - // this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + // observedGeneration represents the generation observed by the Machine Config Operator's build controller. // +kubebuilder:validation:Required ObservedGeneration int64 `json:"observedGeneration,omitempty"` // currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + // The format of the image pullspec is: + // host[:port][/namespace]/name@sha256: + // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" @@ -86,6 +88,7 @@ type BuildInputs struct { // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: + // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" @@ -97,6 +100,7 @@ type BuildInputs struct { // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: + // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" @@ -107,7 +111,7 @@ type BuildInputs struct { // must live in the openshift-machine-config-operator namespace if provided. // defaults to using the cluster-wide pull secret if not specified. // +optional - BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` + BaseImagePullSecret *ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig // +kubebuilder:validation:Required ImageBuilder *MachineOSImageBuilder `json:"imageBuilder"` @@ -126,18 +130,20 @@ type BuildInputs struct { // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image reference must end with a valid :, where '' is 64 characters long and '' is any valid string Or it must be a valid .svc followed by a port, repository, image name, and tag." - // +kubebuilder:validation:XValidation:rule=`((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +kubebuilder:validation:Required RenderedImagePushspec string `json:"renderedImagePushspec"` - // releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + // releaseVersion is an Openshift release version which the base OS image is associated with. // This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. // It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. // This is used as a label in the dockerfile that builds the OS image. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` // +optional ReleaseVersion string `json:"releaseVersion,omitempty"` // containerFile describes the custom data the user has specified to build into the image. // this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + // you can specify up to 7 containerFiles // +patchMergeKey=containerfileArch // +patchStrategy=merge // +listType=map @@ -163,7 +169,6 @@ type BuildOutputs struct { type MachineOSImageBuilder struct { // imageBuilderType specifies the backend to be used to build the image. - // +kubebuilder:default:=PodImageBuilder // +kubebuilder:validation:Enum:=PodImageBuilder // Valid options are: PodImageBuilder ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` @@ -178,7 +183,11 @@ type MachineOSContainerfile struct { // +kubebuilder:default:=noarch // +optional ContainerfileArch ContainerfileArch `json:"containerfileArch"` - // content is the custom content to be built + // content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + // for example, this would add the tree package to your hosts: + // FROM configs AS final + // RUN rpm-ostree install tree && \ + // ostree container commit // +kubebuilder:validation:Required Content string `json:"content"` } @@ -216,6 +225,8 @@ type MachineConfigPoolReference struct { type ImageSecretObjectReference struct { // name is the name of the secret used to push or pull this MachineOSConfig object. // this secret must be in the openshift-machine-config-operator namespace. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` // +kubebuilder:validation:Required Name string `json:"name"` } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml index fce7d4164dc..e143d4055f4 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -62,12 +62,6 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer desiredConfig: description: desiredConfig is the desired config we want to build an image for. @@ -86,6 +80,9 @@ spec: properties: name: description: name of the MachineOSConfig + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name @@ -99,29 +96,16 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - desiredConfig - machineOSConfig - renderedImagePushspec - - version type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set @@ -145,24 +129,38 @@ spec: - message: buildStart is immutable once set rule: self == oldSelf builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + description: BuilderReference describes which ImageBuilder backend + to use for this build properties: buildPod: description: relatedObjects is a list of objects that are related to the build process. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group @@ -178,7 +176,7 @@ spec: - message: buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -244,12 +242,13 @@ spec: x-kubernetes-list-type: map finalImagePullspec: description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + produced by this build that the final image can be. Must end with + a valid '@sha256:' suffix, where '' is 64 hexadecimal + characters long type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long + suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: description: relatedObjects is a list of objects that are related @@ -259,23 +258,42 @@ spec: you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group - name - resource type: object + maxItems: 10 type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map required: - buildStart type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml index ebf17972db9..aab2e8109ea 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -62,12 +62,6 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer desiredConfig: description: desiredConfig is the desired config we want to build an image for. @@ -86,6 +80,9 @@ spec: properties: name: description: name of the MachineOSConfig + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name @@ -99,29 +96,16 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - desiredConfig - machineOSConfig - renderedImagePushspec - - version type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set @@ -145,24 +129,38 @@ spec: - message: buildStart is immutable once set rule: self == oldSelf builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + description: BuilderReference describes which ImageBuilder backend + to use for this build properties: buildPod: description: relatedObjects is a list of objects that are related to the build process. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group @@ -178,7 +176,7 @@ spec: - message: buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -244,12 +242,13 @@ spec: x-kubernetes-list-type: map finalImagePullspec: description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + produced by this build that the final image can be. Must end with + a valid '@sha256:' suffix, where '' is 64 hexadecimal + characters long type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long + suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: description: relatedObjects is a list of objects that are related @@ -259,23 +258,42 @@ spec: you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group - name - resource type: object + maxItems: 10 type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map required: - buildStart type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml index 083a341e806..108302b5ddd 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -62,12 +62,6 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer desiredConfig: description: desiredConfig is the desired config we want to build an image for. @@ -86,6 +80,9 @@ spec: properties: name: description: name of the MachineOSConfig + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name @@ -99,29 +96,16 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - desiredConfig - machineOSConfig - renderedImagePushspec - - version type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set @@ -145,24 +129,38 @@ spec: - message: buildStart is immutable once set rule: self == oldSelf builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + description: BuilderReference describes which ImageBuilder backend + to use for this build properties: buildPod: description: relatedObjects is a list of objects that are related to the build process. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group @@ -178,7 +176,7 @@ spec: - message: buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -244,12 +242,13 @@ spec: x-kubernetes-list-type: map finalImagePullspec: description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + produced by this build that the final image can be. Must end with + a valid '@sha256:' suffix, where '' is 64 hexadecimal + characters long type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long + suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: description: relatedObjects is a list of objects that are related @@ -259,23 +258,42 @@ spec: you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group - name - resource type: object + maxItems: 10 type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map required: - buildStart type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 3e9e21c67ba..0c963a5e7bc 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -60,6 +60,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -71,6 +73,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -88,6 +91,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -102,6 +106,7 @@ spec: description: |- containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image @@ -122,7 +127,12 @@ spec: - noarch type: string content: - description: content is the custom content to be built + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit type: string required: - content @@ -138,7 +148,6 @@ spec: will be used in each build triggered by this MachineOSConfig properties: imageBuilderType: - default: PodImageBuilder description: |- imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder @@ -148,10 +157,12 @@ spec: type: object releaseVersion: description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string renderedImagePushSecret: description: |- @@ -166,6 +177,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -181,26 +194,20 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - imageBuilder - renderedImagePushSecret - renderedImagePushspec type: object buildOutputs: - description: buildOutputs is where user input options for the build - live + description: buildOutputs holds all information needed to handle booting + the image after a build properties: currentImagePullSecret: description: |- @@ -215,6 +222,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -299,9 +308,11 @@ spec: - type x-kubernetes-list-type: map currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + description: |- + currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -313,9 +324,8 @@ spec: format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation observed + by the Machine Config Operator's build controller. format: int64 type: integer required: diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index d1392e75a70..0b3e1acff7c 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -60,6 +60,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -71,6 +73,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -88,6 +91,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -102,6 +106,7 @@ spec: description: |- containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image @@ -122,7 +127,12 @@ spec: - noarch type: string content: - description: content is the custom content to be built + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit type: string required: - content @@ -138,7 +148,6 @@ spec: will be used in each build triggered by this MachineOSConfig properties: imageBuilderType: - default: PodImageBuilder description: |- imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder @@ -148,10 +157,12 @@ spec: type: object releaseVersion: description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string renderedImagePushSecret: description: |- @@ -166,6 +177,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -181,26 +194,20 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - imageBuilder - renderedImagePushSecret - renderedImagePushspec type: object buildOutputs: - description: buildOutputs is where user input options for the build - live + description: buildOutputs holds all information needed to handle booting + the image after a build properties: currentImagePullSecret: description: |- @@ -215,6 +222,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -299,9 +308,11 @@ spec: - type x-kubernetes-list-type: map currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + description: |- + currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -313,9 +324,8 @@ spec: format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation observed + by the Machine Config Operator's build controller. format: int64 type: integer required: diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 7e9ca857a52..16ad77411c0 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -60,6 +60,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -71,6 +73,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -88,6 +91,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -102,6 +106,7 @@ spec: description: |- containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image @@ -122,7 +127,12 @@ spec: - noarch type: string content: - description: content is the custom content to be built + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit type: string required: - content @@ -138,7 +148,6 @@ spec: will be used in each build triggered by this MachineOSConfig properties: imageBuilderType: - default: PodImageBuilder description: |- imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder @@ -148,10 +157,12 @@ spec: type: object releaseVersion: description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string renderedImagePushSecret: description: |- @@ -166,6 +177,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -181,26 +194,20 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - imageBuilder - renderedImagePushSecret - renderedImagePushspec type: object buildOutputs: - description: buildOutputs is where user input options for the build - live + description: buildOutputs holds all information needed to handle booting + the image after a build properties: currentImagePullSecret: description: |- @@ -215,6 +222,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -299,9 +308,11 @@ spec: - type x-kubernetes-list-type: map currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + description: |- + currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -313,9 +324,8 @@ spec: format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation observed + by the Machine Config Operator's build controller. format: int64 type: integer required: diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index 429586a4211..c505d55c081 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -16,7 +16,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BuildInputs) DeepCopyInto(out *BuildInputs) { *out = *in - out.BaseImagePullSecret = in.BaseImagePullSecret + if in.BaseImagePullSecret != nil { + in, out := &in.BaseImagePullSecret, &out.BaseImagePullSecret + *out = new(ImageSecretObjectReference) + **out = **in + } if in.ImageBuilder != nil { in, out := &in.ImageBuilder, &out.ImageBuilder *out = new(MachineOSImageBuilder) @@ -1009,10 +1013,7 @@ func (in *MachineOSBuildStatus) DeepCopyInto(out *MachineOSBuildStatus) { *out = make([]ObjectReference, len(*in)) copy(*out, *in) } - if in.BuildStart != nil { - in, out := &in.BuildStart, &out.BuildStart - *out = (*in).DeepCopy() - } + in.BuildStart.DeepCopyInto(&out.BuildStart) if in.BuildEnd != nil { in, out := &in.BuildEnd, &out.BuildEnd *out = (*in).DeepCopy() @@ -1057,7 +1058,11 @@ func (in *MachineOSConfig) DeepCopyInto(out *MachineOSConfig) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) + if in.Status != nil { + in, out := &in.Status, &out.Status + *out = new(MachineOSConfigStatus) + (*in).DeepCopyInto(*out) + } return } @@ -1133,7 +1138,11 @@ func (in *MachineOSConfigSpec) DeepCopyInto(out *MachineOSConfigSpec) { *out = *in out.MachineConfigPool = in.MachineConfigPool in.BuildInputs.DeepCopyInto(&out.BuildInputs) - out.BuildOutputs = in.BuildOutputs + if in.BuildOutputs != nil { + in, out := &in.BuildOutputs, &out.BuildOutputs + *out = new(BuildOutputs) + **out = **in + } return } diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index eefbc505f74..34d711a19a1 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -62,12 +62,6 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer desiredConfig: description: desiredConfig is the desired config we want to build an image for. @@ -86,6 +80,9 @@ spec: properties: name: description: name of the MachineOSConfig + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name @@ -99,29 +96,16 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - desiredConfig - machineOSConfig - renderedImagePushspec - - version type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set @@ -145,24 +129,38 @@ spec: - message: buildStart is immutable once set rule: self == oldSelf builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + description: BuilderReference describes which ImageBuilder backend + to use for this build properties: buildPod: description: relatedObjects is a list of objects that are related to the build process. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group @@ -178,7 +176,7 @@ spec: - message: buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -244,12 +242,13 @@ spec: x-kubernetes-list-type: map finalImagePullspec: description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + produced by this build that the final image can be. Must end with + a valid '@sha256:' suffix, where '' is 64 hexadecimal + characters long type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long + suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: description: relatedObjects is a list of objects that are related @@ -259,23 +258,42 @@ spec: you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + This value should consist of only lowercase alphanumeric characters, hyphens and periods. + Example: "", "apps", "build.openshift.io", etc. + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: name of the referent. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - group - name - resource type: object + maxItems: 10 type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map required: - buildStart type: object diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 5e6043342d2..4f1b564cbca 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -60,6 +60,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -71,6 +73,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -88,6 +91,7 @@ spec: if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -102,6 +106,7 @@ spec: description: |- containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image @@ -122,7 +127,12 @@ spec: - noarch type: string content: - description: content is the custom content to be built + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit type: string required: - content @@ -138,7 +148,6 @@ spec: will be used in each build triggered by this MachineOSConfig properties: imageBuilderType: - default: PodImageBuilder description: |- imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder @@ -148,10 +157,12 @@ spec: type: object releaseVersion: description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. + releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string renderedImagePushSecret: description: |- @@ -166,6 +177,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -181,26 +194,20 @@ spec: minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - imageBuilder - renderedImagePushSecret - renderedImagePushspec type: object buildOutputs: - description: buildOutputs is where user input options for the build - live + description: buildOutputs holds all information needed to handle booting + the image after a build properties: currentImagePullSecret: description: |- @@ -215,6 +222,8 @@ spec: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string required: - name @@ -299,9 +308,11 @@ spec: - type x-kubernetes-list-type: map currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + description: |- + currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + The format of the image pullspec is: + host[:port][/namespace]/name@sha256: + The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. maxLength: 447 minLength: 1 type: string @@ -313,9 +324,8 @@ spec: format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation observed + by the Machine Config Operator's build controller. format: int64 type: integer required: diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 32b2ad57f2c..8ea3e91e827 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -379,10 +379,8 @@ func (MachineOSBuildList) SwaggerDoc() map[string]string { var map_MachineOSBuildSpec = map[string]string{ "": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", - "configGeneration": "configGeneration tracks which version of MachineOSConfig this build is based off of", "desiredConfig": "desiredConfig is the desired config we want to build an image for.", "machineOSConfig": "machineOSConfig is the config object which the build is based off of", - "version": "version tracks the newest MachineOSBuild for each MachineOSConfig", "renderedImagePushspec": "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", } @@ -393,11 +391,11 @@ func (MachineOSBuildSpec) SwaggerDoc() map[string]string { var map_MachineOSBuildStatus = map[string]string{ "": "MachineOSBuildStatus describes the state of a build and other helpful information.", "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", - "builderReference": "ImageBuilderType describes the image builder set in the MachineOSConfig", + "builderReference": "BuilderReference describes which ImageBuilder backend to use for this build", "relatedObjects": "relatedObjects is a list of objects that are related to the build process.", "buildStart": "buildStart describes when the build started.", "buildEnd": "buildEnd describes when the build ended.", - "finalImagePullspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", + "finalImagePullspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long", } func (MachineOSBuildStatus) SwaggerDoc() map[string]string { @@ -405,7 +403,7 @@ func (MachineOSBuildStatus) SwaggerDoc() map[string]string { } var map_MachineOSBuilderReference = map[string]string{ - "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", + "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build", "imageBuilderType": "ImageBuilderType describes the image builder set in the MachineOSConfig", "buildPod": "relatedObjects is a list of objects that are related to the build process.", } @@ -425,8 +423,8 @@ func (MachineOSConfigReference) SwaggerDoc() map[string]string { var map_ObjectReference = map[string]string{ "": "ObjectReference contains enough information to let you inspect or modify the referred object.", - "group": "group of the referent.", - "resource": "resource of the referent.", + "group": "group of the referent. This value should consist of only lowercase alphanumeric characters, hyphens and periods. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + "resource": "resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", "namespace": "namespace of the referent.", "name": "name of the referent.", } @@ -446,14 +444,14 @@ func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { var map_BuildInputs = map[string]string{ "": "BuildInputs holds all of the information needed to trigger a build", - "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", "renderedImagePushspec": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - "releaseVersion": "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", - "containerFile": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", + "releaseVersion": "releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", + "containerFile": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. you can specify up to 7 containerFiles", } func (BuildInputs) SwaggerDoc() map[string]string { @@ -509,7 +507,7 @@ var map_MachineOSConfigSpec = map[string]string{ "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", "machineConfigPool": "machineConfigPool is the pool which the build is for", "buildInputs": "buildInputs is where user input options for the build live", - "buildOutputs": "buildOutputs is where user input options for the build live", + "buildOutputs": "buildOutputs holds all information needed to handle booting the image after a build", } func (MachineOSConfigSpec) SwaggerDoc() map[string]string { @@ -519,8 +517,8 @@ func (MachineOSConfigSpec) SwaggerDoc() map[string]string { var map_MachineOSConfigStatus = map[string]string{ "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", "conditions": "conditions are state related conditions for the config.", - "observedGeneration": "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", - "currentImagePullspec": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", + "observedGeneration": "observedGeneration represents the generation observed by the Machine Config Operator's build controller.", + "currentImagePullspec": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", } func (MachineOSConfigStatus) SwaggerDoc() map[string]string { @@ -530,7 +528,7 @@ func (MachineOSConfigStatus) SwaggerDoc() map[string]string { var map_MachineOSContainerfile = map[string]string{ "": "MachineOSContainerfile contains all custom content the user wants built into the image", "containerfileArch": "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", - "content": "content is the custom content to be built", + "content": "content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. for example, this would add the tree package to your hosts:\n FROM configs AS final\n RUN rpm-ostree install tree && \\n ostree container commit", } func (MachineOSContainerfile) SwaggerDoc() map[string]string { From 7ff1e4d1bee4530086396da18f5e66d2acd3af0e Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Thu, 28 Nov 2024 20:03:45 -0500 Subject: [PATCH 5/7] Additional fixes for MOSC/MOSB - Update from PodImageBuilder to JobImageBuilder, and add a MachineOSBuild reference to MachineOSConfig - Failed and Interrupted will now cause MOSBuild conditions to be immutable - Updated Arch enum to be PascalCase - Updated relatedObject go doc based on suggestion - Add validation for buildEnd > buildStart - Removed conditions field from MOSConfig. The build object is supposed to reflect conditions instead, so this is not needed at this time - Use dns1123 format check for all strings that match, and otherwise switch pattern checks to validation rules where appropriate - Updated godocs a bit more for formatting --- hack/update-payload-crds.sh | 1 + .../OnClusterBuild.yaml | 21 +- .../OnClusterBuild.yaml | 26 +- .../v1/types_machineosbuild.go | 58 +++-- .../v1/types_machineosconfig.go | 106 ++++---- ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 135 +++++++--- ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 135 +++++++--- ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 135 +++++++--- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 244 ++++++++++-------- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 244 ++++++++++-------- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 244 ++++++++++-------- .../v1/zz_generated.deepcopy.go | 28 +- .../OnClusterBuild.yaml | 135 +++++++--- .../OnClusterBuild.yaml | 244 ++++++++++-------- .../v1/zz_generated.swagger_doc_generated.go | 62 ++--- .../OnClusterBuild.yaml | 20 +- .../v1alpha1/types_machineosconfig.go | 7 +- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 4 +- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 4 +- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 4 +- .../OnClusterBuild.yaml | 4 +- .../zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 4 +- openapi/openapi.json | 3 +- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 4 +- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 4 +- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 4 +- 27 files changed, 1151 insertions(+), 731 deletions(-) diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh index 975fb612721..07c2e460fe3 100755 --- a/hack/update-payload-crds.sh +++ b/hack/update-payload-crds.sh @@ -2,6 +2,7 @@ source "$(dirname "${BASH_SOURCE}")/lib/init.sh" +#TODO(jerzhang): once MOSC/MOSB graduates, update the v1 crds to include them crd_globs="\ authorization/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ config/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index 4e226b57e70..0dfdd6697ff 100644 --- a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -15,7 +15,7 @@ tests: name: rendered-worker-abcd machineOSConfig: name: worker - renderedImagePushspec: quay.io/cdoern/mco:latest + renderedImagePushspec: quay.io/mco/renderedImage:latest expected: | apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSBuild @@ -26,5 +26,22 @@ tests: name: rendered-worker-abcd machineOSConfig: name: worker - renderedImagePushspec: quay.io/cdoern/mco:latest + renderedImagePushspec: quay.io/mco/renderedImage:latest + onCreate: + - name: Fail on invalid buildEnd time + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushspec: quay.io/mco/renderedImage:latest + status: + buildStart: 2024-11-28T10:00:00Z + buildEnd: 2024-11-28T09:00:00Z + expectedError: "Invalid value: \"string\": buildEnd must be after buildStart" diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index c59e1c201b9..fabe3409437 100644 --- a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -15,14 +15,14 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseImagePullSecret: name: foo baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest + renderedImagePushspec: quay.io/mco/renderedImg:latest buildOutputs: currentImagePullSecret: name: foo @@ -36,14 +36,14 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseImagePullSecret: name: foo baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest + renderedImagePushspec: quay.io/mco/renderedImg:latest buildOutputs: currentImagePullSecret: name: foo @@ -59,7 +59,7 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseImagePullSecret: name: foo @@ -80,7 +80,7 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseImagePullSecret: name: foo @@ -102,7 +102,7 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseImagePullSecret: name: foo @@ -125,14 +125,14 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: foo.bar baseImagePullSecret: name: foo baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest + renderedImagePushspec: quay.io/mco/renderedImg:latest buildOutputs: currentImagePullSecret: name: foo @@ -148,12 +148,12 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest + renderedImagePushspec: quay.io/mco/renderedImg:latest buildOutputs: currentImagePullSecret: name: foo @@ -167,12 +167,12 @@ tests: name: worker buildInputs: imageBuilder: - imageBuilderType: PodImageBuilder + imageBuilderType: JobImageBuilder baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest + renderedImagePushspec: quay.io/mco/renderedImg:latest buildOutputs: currentImagePullSecret: name: foo diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go index 184a168ad59..d12978f4b83 100644 --- a/machineconfiguration/v1/types_machineosbuild.go +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -33,6 +33,7 @@ type MachineOSBuild struct { Spec MachineOSBuildSpec `json:"spec"` // status describes the lst observed state of this machine os build + // +kubebuilder:validation:XValidation:rule="self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) > timestamp(self.buildEnd)",message="buildEnd must be after buildStart" // +optional Status MachineOSBuildStatus `json:"status"` } @@ -47,6 +48,7 @@ type MachineOSBuildList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` + // items contains a collection of MachineOSBuild resources. Items []MachineOSBuild `json:"items"` } @@ -71,18 +73,23 @@ type MachineOSBuildSpec struct { // MachineOSBuildStatus describes the state of a build and other helpful information. type MachineOSBuildStatus struct { // conditions are state related conditions for the build. Valid types are: - // Prepared, Building, Failed, Interrupted, and Succeeded - // once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + // Prepared, Building, Failed, Interrupted, and Succeeded. + // Once a Build is marked as Failed or Interrupted, no future conditions can be set. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.exists(x, x.type == 'Failed') ? self == oldSelf : true",message="once a Failed condition is set, conditions are immutable" + // +kubebuilder:validation:XValidation:rule="self.exists(x, x.type == 'Interrupted') ? self == oldSelf : true",message="once an Interrupted condition is set, conditions are immutable" // +optional Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // BuilderReference describes which ImageBuilder backend to use for this build // +optional BuilderReference *MachineOSBuilderReference `json:"builderReference"` - // relatedObjects is a list of objects that are related to the build process. + // relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + // After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. + // However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. // +kubebuilder:validation:MaxItems=10 // +listType=map // +listMapKey=name @@ -93,27 +100,28 @@ type MachineOSBuildStatus struct { // +kubebuilder:validation:Required BuildStart metav1.Time `json:"buildStart"` // buildEnd describes when the build ended. + // When omitted the build has either not been started, or is in progress. + // It will be populated once the build completes, fails or is interrupted. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" // +optional BuildEnd *metav1.Time `json:"buildEnd,omitempty"` // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long // +kubebuilder:validation:XValidation:rule=`((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long" // +optional - FinalImagePushspec string `json:"finalImagePullspec,omitempty"` + FinalImagePushspec string `json:"finalImagePushspec,omitempty"` } // MachineOSBuilderReference describes which ImageBuilder backend to use for this build -// +union -// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'PodImageBuilder' ? has(self.buildPod) : !has(self.buildPod)",message="buildPod is required when imageBuilderType is PodImageBuilder, and forbidden otherwise" type MachineOSBuilderReference struct { - // ImageBuilderType describes the image builder set in the MachineOSConfig - // +unionDiscriminator + // ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. + // Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + // +kubebuilder:validation:Required ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` - // relatedObjects is a list of objects that are related to the build process. - // +unionMember + // ImageBuilderRef is a reference to the object that is managing the image build + // For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build // +optional - PodImageBuilder *ObjectReference `json:"buildPod,omitempty"` + ImageBuilderRef *ObjectReference `json:"ImageBuilderRef,omitempty"` } // BuildProgess highlights some of the key phases of a build to be tracked in Conditions. @@ -137,8 +145,10 @@ const ( // the build targets this MachineConfig, this is often used to tell us whether we need an update. type RenderedMachineConfigReference struct { // name is the name of the rendered MachineConfig object. + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + // +kubebuilder:validation:MaxLength:=10 // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:Required Name string `json:"name"` } @@ -146,37 +156,43 @@ type RenderedMachineConfigReference struct { // ObjectReference contains enough information to let you inspect or modify the referred object. type ObjectReference struct { // group of the referent. - // This value should consist of only lowercase alphanumeric characters, hyphens and periods. + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character // Example: "", "apps", "build.openshift.io", etc. - // +kubebuilder:validation:Pattern:="^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:Required Group string `json:"group"` // resource of the referent. // This value should consist of only lowercase alphanumeric characters and hyphens. // Example: "deployments", "deploymentconfigs", "pods", etc. // +kubebuilder:validation:Required - // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 Resource string `json:"resource"` // namespace of the referent. - // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // This value should consist of only lowercase alphanumeric characters and hyphens. + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +optional Namespace string `json:"namespace,omitempty"` // name of the referent. - // +kubebuilder:validation:Required - // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // This value should consist of only lowercase alphanumeric characters and hyphens. + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:Required Name string `json:"name"` } // MachineOSConfigReference refers to the MachineOSConfig this build is based off of type MachineOSConfigReference struct { - // name of the MachineOSConfig - // +kubebuilder:validation:Required - // +kubebuilder:validation:Pattern:="^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + // name of the MachineOSConfig. + // This value should consist of only lowercase alphanumeric characters and hyphens. + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:Required Name string `json:"name"` } diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go index 7842e9344c0..f7fc324a7a1 100644 --- a/machineconfiguration/v1/types_machineosconfig.go +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -41,6 +41,7 @@ type MachineOSConfigList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` + // items contains a collection of MachineOSConfig resources. Items []MachineOSConfig `json:"items"` } @@ -53,20 +54,17 @@ type MachineOSConfigSpec struct { // +kubebuilder:validation:Required BuildInputs BuildInputs `json:"buildInputs"` // buildOutputs holds all information needed to handle booting the image after a build + // This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry + // is different than the one used for pushing the image to the registry during the build. // +optional BuildOutputs *BuildOutputs `json:"buildOutputs,omitempty"` } // MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig type MachineOSConfigStatus struct { - // conditions are state related conditions for the config. - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` - // observedGeneration represents the generation observed by the Machine Config Operator's build controller. + // observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller. + // +kubebuilder:validation:XValidation:rule="self >= oldSelf || (self == 0 && oldSelf > 0)", message="observedGeneration must not move backwards except to zero" + // +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Required ObservedGeneration int64 `json:"observedGeneration,omitempty"` // currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. @@ -79,13 +77,16 @@ type MachineOSConfigStatus struct { // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" // +optional CurrentImagePullspec string `json:"currentImagePullspec,omitempty"` + // machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build + // +optional + MachineOSBuild *ObjectReference `json:"machineOSBuild,omitempty"` } // BuildInputs holds all of the information needed to trigger a build type BuildInputs struct { // baseOSExtensionsImagePullspec is the base Extensions image used in the build process - // the MachineOSConfig object will use the in cluster image registry configuration. - // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // The MachineOSConfig object will use the in cluster image registry configuration. + // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -96,8 +97,8 @@ type BuildInputs struct { // +optional BaseOSExtensionsImagePullspec string `json:"baseOSExtensionsImagePullspec,omitempty"` // baseOSImagePullspec is the base OSImage we use to build our custom image. - // the MachineOSConfig object will use the in cluster image registry configuration. - // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // The MachineOSConfig object will use the in cluster image registry configuration. + // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -108,41 +109,42 @@ type BuildInputs struct { // +optional BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` // baseImagePullSecret is the secret used to pull the base image. - // must live in the openshift-machine-config-operator namespace if provided. - // defaults to using the cluster-wide pull secret if not specified. + // Must live in the openshift-machine-config-operator namespace if provided. + // Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. // +optional BaseImagePullSecret *ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` - // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig + // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + // Currently supported type(s): JobImageBuilder // +kubebuilder:validation:Required - ImageBuilder *MachineOSImageBuilder `json:"imageBuilder"` + ImageBuilder MachineOSImageBuilder `json:"imageBuilder"` // renderedImagePushSecret is the secret used to connect to a user registry. - // the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - // that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - // that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - // this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - // will only need to pull the image in order to use it. + // The final image push and pull secrets should be separate and assume the principal of least privilege. + // The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + // The pull secret with read only privileges is required on all nodes. + // By separating the two secrets, the risk of write credentials becoming compromised is reduced. // +kubebuilder:validation:Required RenderedImagePushSecret ImageSecretObjectReference `json:"renderedImagePushSecret"` - // renderedImagePushspec describes the location of the final image. - // the MachineOSConfig object will use the in cluster image registry configuration. - // if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + // renderedImagePushSpec describes the location of the final image. + // The MachineOSConfig object will use the in cluster image registry configuration. + // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. // The format of the image pushspec is: // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +kubebuilder:validation:Required - RenderedImagePushspec string `json:"renderedImagePushspec"` + RenderedImagePushSpec string `json:"renderedImagePushSpec"` // releaseVersion is an Openshift release version which the base OS image is associated with. // This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. // It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - // This is used as a label in the dockerfile that builds the OS image. + // This is used as a label in the Containerfile that builds the OS image. // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +optional ReleaseVersion string `json:"releaseVersion,omitempty"` // containerFile describes the custom data the user has specified to build into the image. - // this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + // This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. // you can specify up to 7 containerFiles // +patchMergeKey=containerfileArch // +patchStrategy=merge @@ -155,68 +157,72 @@ type BuildInputs struct { } // BuildOutputs holds all information needed to handle booting the image after a build -// +union type BuildOutputs struct { // currentImagePullSecret is the secret used to pull the final produced image. - // must live in the openshift-machine-config-operator namespace + // Must live in the openshift-machine-config-operator namespace, // the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, // that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, // that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - // this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + // This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. // +optional - CurrentImagePullSecret ImageSecretObjectReference `json:"currentImagePullSecret,omitempty"` + CurrentImagePullSecret *ImageSecretObjectReference `json:"currentImagePullSecret,omitempty"` } type MachineOSImageBuilder struct { // imageBuilderType specifies the backend to be used to build the image. - // +kubebuilder:validation:Enum:=PodImageBuilder - // Valid options are: PodImageBuilder + // +kubebuilder:validation:Enum:=JobImageBuilder + // Valid options are: JobImageBuilder + // +required ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` } // MachineOSContainerfile contains all custom content the user wants built into the image type MachineOSContainerfile struct { - // containerfileArch describes the architecture this containerfile is to be built for - // this arch is optional. If the user does not specify an architecture, it is assumed + // containerfileArch describes the architecture this containerfile is to be built for. + // This arch is optional. If the user does not specify an architecture, it is assumed // that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - // +kubebuilder:validation:Enum:=arm64;amd64;ppc64le;s390x;aarch64;x86_64;noarch - // +kubebuilder:default:=noarch + // +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;AArch64;x86_64;NoArch + // +kubebuilder:default:=NoArch // +optional ContainerfileArch ContainerfileArch `json:"containerfileArch"` // content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. // for example, this would add the tree package to your hosts: // FROM configs AS final // RUN rpm-ostree install tree && \ // ostree container commit // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=4096 Content string `json:"content"` } +// +enum type ContainerfileArch string const ( // describes the arm64 architecture - Arm64 ContainerfileArch = "arm64" + Arm64 ContainerfileArch = "ARM64" // describes the amd64 architecture - Amd64 ContainerfileArch = "amd64" + Amd64 ContainerfileArch = "AMD64" // describes the ppc64le architecture - Ppc ContainerfileArch = "ppc64le" + Ppc ContainerfileArch = "PPC64LE" // describes the s390x architecture - S390 ContainerfileArch = "s390x" + S390 ContainerfileArch = "S390X" // describes the aarch64 architecture - Aarch64 ContainerfileArch = "aarch64" + Aarch64 ContainerfileArch = "AArch64" // describes the fx86_64 architecture X86_64 ContainerfileArch = "x86_64" // describes a containerfile that can be applied to any arch - NoArch ContainerfileArch = "noarch" + NoArch ContainerfileArch = "NoArch" ) // Refers to the name of a MachineConfigPool (e.g., "worker", "infra", etc.): // the MachineOSBuilder pod validates that the user has provided a valid pool type MachineConfigPoolReference struct { // name of the MachineConfigPool object. + // Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:Required Name string `json:"name"` } @@ -224,16 +230,18 @@ type MachineConfigPoolReference struct { // Refers to the name of an image registry push/pull secret needed in the build process. type ImageSecretObjectReference struct { // name is the name of the secret used to push or pull this MachineOSConfig object. - // this secret must be in the openshift-machine-config-operator namespace. + // Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + // This secret must be in the openshift-machine-config-operator namespace. // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:Pattern=`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$` + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:Required Name string `json:"name"` } +// +enum type MachineOSImageBuilderType string const ( - // describes that the machine-os-builder will use a custom pod builder that uses buildah - PodBuilder MachineOSImageBuilderType = "PodImageBuilder" + // describes that the machine-os-builder will use a Job to spin up a custom pod builder that uses buildah + JobBuilder MachineOSImageBuilderType = "JobImageBuilder" ) diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml index e143d4055f4..b767598a7af 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -67,10 +67,16 @@ spec: an image for. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -79,11 +85,16 @@ spec: is based off of properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - name type: object @@ -115,7 +126,10 @@ spec: build properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd describes when the build ended. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: @@ -132,56 +146,75 @@ spec: description: BuilderReference describes which ImageBuilder backend to use for this build properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + ImageBuilderRef: + description: |- + ImageBuilderRef is a reference to the object that is managing the image build + For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig + description: |- + ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. + Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. type: string + required: + - imageBuilderType type: object - x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed or Interrupted, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -236,11 +269,19 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Failed'') ? self == oldSelf : + true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf + : true' + finalImagePushspec: description: finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal @@ -251,8 +292,10 @@ spec: suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. + However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. @@ -260,29 +303,49 @@ spec: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name @@ -297,6 +360,10 @@ spec: required: - buildStart type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + > timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml index aab2e8109ea..c9e9728bae3 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -67,10 +67,16 @@ spec: an image for. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -79,11 +85,16 @@ spec: is based off of properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - name type: object @@ -115,7 +126,10 @@ spec: build properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd describes when the build ended. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: @@ -132,56 +146,75 @@ spec: description: BuilderReference describes which ImageBuilder backend to use for this build properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + ImageBuilderRef: + description: |- + ImageBuilderRef is a reference to the object that is managing the image build + For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig + description: |- + ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. + Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. type: string + required: + - imageBuilderType type: object - x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed or Interrupted, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -236,11 +269,19 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Failed'') ? self == oldSelf : + true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf + : true' + finalImagePushspec: description: finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal @@ -251,8 +292,10 @@ spec: suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. + However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. @@ -260,29 +303,49 @@ spec: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name @@ -297,6 +360,10 @@ spec: required: - buildStart type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + > timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml index 108302b5ddd..42835d4db79 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -67,10 +67,16 @@ spec: an image for. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -79,11 +85,16 @@ spec: is based off of properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - name type: object @@ -115,7 +126,10 @@ spec: build properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd describes when the build ended. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: @@ -132,56 +146,75 @@ spec: description: BuilderReference describes which ImageBuilder backend to use for this build properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + ImageBuilderRef: + description: |- + ImageBuilderRef is a reference to the object that is managing the image build + For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig + description: |- + ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. + Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. type: string + required: + - imageBuilderType type: object - x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed or Interrupted, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -236,11 +269,19 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Failed'') ? self == oldSelf : + true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf + : true' + finalImagePushspec: description: finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal @@ -251,8 +292,10 @@ spec: suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. + However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. @@ -260,29 +303,49 @@ spec: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name @@ -297,6 +360,10 @@ spec: required: - buildStart type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + > timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 0c963a5e7bc..7b342ebc202 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -53,24 +53,29 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object baseOSExtensionsImagePullspec: description: |- baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -87,8 +92,8 @@ spec: baseOSImagePullspec: description: |- baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -105,34 +110,37 @@ spec: containerFile: description: |- containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image properties: containerfileArch: - default: noarch + default: NoArch description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture. enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 + - ARM64 + - AMD64 + - PPC64LE + - S390X + - AArch64 - x86_64 - - noarch + - NoArch type: string content: description: |- content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts: FROM configs AS final RUN rpm-ostree install tree && \ ostree container commit + maxLength: 4096 type: string required: - content @@ -144,50 +152,61 @@ spec: - containerfileArch x-kubernetes-list-type: map imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig + description: |- + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): JobImageBuilder properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder + Valid options are: JobImageBuilder enum: - - PodImageBuilder + - JobImageBuilder type: string + required: + - imageBuilderType type: object releaseVersion: description: |- releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. + This is used as a label in the Containerfile that builds the OS image. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' renderedImagePushSecret: description: |- renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -203,28 +222,35 @@ spec: required: - imageBuilder - renderedImagePushSecret - - renderedImagePushspec + - renderedImagePushSpec type: object buildOutputs: - description: buildOutputs holds all information needed to handle booting - the image after a build + description: |- + buildOutputs holds all information needed to handle booting the image after a build + This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry + is different than the one used for pushing the image to the registry during the build. properties: currentImagePullSecret: description: |- currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace + Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -233,10 +259,16 @@ spec: description: machineConfigPool is the pool which the build is for properties: name: - description: name of the MachineConfigPool object. + description: |- + name of the MachineConfigPool object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -247,66 +279,6 @@ spec: status: description: status describes the status of the machineosconfig properties: - conditions: - description: conditions are state related conditions for the config. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map currentImagePullspec: description: |- currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. @@ -323,11 +295,71 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + name: + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + namespace: + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: observedGeneration represents the generation observed - by the Machine Config Operator's build controller. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards except to zero + rule: self >= oldSelf || (self == 0 && oldSelf > 0) required: - observedGeneration type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index 0b3e1acff7c..2a7eed90e9c 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -53,24 +53,29 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object baseOSExtensionsImagePullspec: description: |- baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -87,8 +92,8 @@ spec: baseOSImagePullspec: description: |- baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -105,34 +110,37 @@ spec: containerFile: description: |- containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image properties: containerfileArch: - default: noarch + default: NoArch description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture. enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 + - ARM64 + - AMD64 + - PPC64LE + - S390X + - AArch64 - x86_64 - - noarch + - NoArch type: string content: description: |- content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts: FROM configs AS final RUN rpm-ostree install tree && \ ostree container commit + maxLength: 4096 type: string required: - content @@ -144,50 +152,61 @@ spec: - containerfileArch x-kubernetes-list-type: map imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig + description: |- + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): JobImageBuilder properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder + Valid options are: JobImageBuilder enum: - - PodImageBuilder + - JobImageBuilder type: string + required: + - imageBuilderType type: object releaseVersion: description: |- releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. + This is used as a label in the Containerfile that builds the OS image. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' renderedImagePushSecret: description: |- renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -203,28 +222,35 @@ spec: required: - imageBuilder - renderedImagePushSecret - - renderedImagePushspec + - renderedImagePushSpec type: object buildOutputs: - description: buildOutputs holds all information needed to handle booting - the image after a build + description: |- + buildOutputs holds all information needed to handle booting the image after a build + This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry + is different than the one used for pushing the image to the registry during the build. properties: currentImagePullSecret: description: |- currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace + Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -233,10 +259,16 @@ spec: description: machineConfigPool is the pool which the build is for properties: name: - description: name of the MachineConfigPool object. + description: |- + name of the MachineConfigPool object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -247,66 +279,6 @@ spec: status: description: status describes the status of the machineosconfig properties: - conditions: - description: conditions are state related conditions for the config. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map currentImagePullspec: description: |- currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. @@ -323,11 +295,71 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + name: + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + namespace: + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: observedGeneration represents the generation observed - by the Machine Config Operator's build controller. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards except to zero + rule: self >= oldSelf || (self == 0 && oldSelf > 0) required: - observedGeneration type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 16ad77411c0..b7088cf0e93 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -53,24 +53,29 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object baseOSExtensionsImagePullspec: description: |- baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -87,8 +92,8 @@ spec: baseOSImagePullspec: description: |- baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -105,34 +110,37 @@ spec: containerFile: description: |- containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image properties: containerfileArch: - default: noarch + default: NoArch description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture. enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 + - ARM64 + - AMD64 + - PPC64LE + - S390X + - AArch64 - x86_64 - - noarch + - NoArch type: string content: description: |- content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts: FROM configs AS final RUN rpm-ostree install tree && \ ostree container commit + maxLength: 4096 type: string required: - content @@ -144,50 +152,61 @@ spec: - containerfileArch x-kubernetes-list-type: map imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig + description: |- + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): JobImageBuilder properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder + Valid options are: JobImageBuilder enum: - - PodImageBuilder + - JobImageBuilder type: string + required: + - imageBuilderType type: object releaseVersion: description: |- releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. + This is used as a label in the Containerfile that builds the OS image. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' renderedImagePushSecret: description: |- renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -203,28 +222,35 @@ spec: required: - imageBuilder - renderedImagePushSecret - - renderedImagePushspec + - renderedImagePushSpec type: object buildOutputs: - description: buildOutputs holds all information needed to handle booting - the image after a build + description: |- + buildOutputs holds all information needed to handle booting the image after a build + This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry + is different than the one used for pushing the image to the registry during the build. properties: currentImagePullSecret: description: |- currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace + Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -233,10 +259,16 @@ spec: description: machineConfigPool is the pool which the build is for properties: name: - description: name of the MachineConfigPool object. + description: |- + name of the MachineConfigPool object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -247,66 +279,6 @@ spec: status: description: status describes the status of the machineosconfig properties: - conditions: - description: conditions are state related conditions for the config. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map currentImagePullspec: description: |- currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. @@ -323,11 +295,71 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + name: + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + namespace: + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: observedGeneration represents the generation observed - by the Machine Config Operator's build controller. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards except to zero + rule: self >= oldSelf || (self == 0 && oldSelf > 0) required: - observedGeneration type: object diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index c505d55c081..59637cc93ef 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -21,11 +21,7 @@ func (in *BuildInputs) DeepCopyInto(out *BuildInputs) { *out = new(ImageSecretObjectReference) **out = **in } - if in.ImageBuilder != nil { - in, out := &in.ImageBuilder, &out.ImageBuilder - *out = new(MachineOSImageBuilder) - **out = **in - } + out.ImageBuilder = in.ImageBuilder out.RenderedImagePushSecret = in.RenderedImagePushSecret if in.Containerfile != nil { in, out := &in.Containerfile, &out.Containerfile @@ -48,7 +44,11 @@ func (in *BuildInputs) DeepCopy() *BuildInputs { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BuildOutputs) DeepCopyInto(out *BuildOutputs) { *out = *in - out.CurrentImagePullSecret = in.CurrentImagePullSecret + if in.CurrentImagePullSecret != nil { + in, out := &in.CurrentImagePullSecret, &out.CurrentImagePullSecret + *out = new(ImageSecretObjectReference) + **out = **in + } return } @@ -1034,8 +1034,8 @@ func (in *MachineOSBuildStatus) DeepCopy() *MachineOSBuildStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineOSBuilderReference) DeepCopyInto(out *MachineOSBuilderReference) { *out = *in - if in.PodImageBuilder != nil { - in, out := &in.PodImageBuilder, &out.PodImageBuilder + if in.ImageBuilderRef != nil { + in, out := &in.ImageBuilderRef, &out.ImageBuilderRef *out = new(ObjectReference) **out = **in } @@ -1141,7 +1141,7 @@ func (in *MachineOSConfigSpec) DeepCopyInto(out *MachineOSConfigSpec) { if in.BuildOutputs != nil { in, out := &in.BuildOutputs, &out.BuildOutputs *out = new(BuildOutputs) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -1159,12 +1159,10 @@ func (in *MachineOSConfigSpec) DeepCopy() *MachineOSConfigSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineOSConfigStatus) DeepCopyInto(out *MachineOSConfigStatus) { *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]metav1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } + if in.MachineOSBuild != nil { + in, out := &in.MachineOSBuild, &out.MachineOSBuild + *out = new(ObjectReference) + **out = **in } return } diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index 34d711a19a1..759e9d3108e 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -67,10 +67,16 @@ spec: an image for. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -79,11 +85,16 @@ spec: is based off of properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - name type: object @@ -115,7 +126,10 @@ spec: build properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd describes when the build ended. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: @@ -132,56 +146,75 @@ spec: description: BuilderReference describes which ImageBuilder backend to use for this build properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + ImageBuilderRef: + description: |- + ImageBuilderRef is a reference to the object that is managing the image build + For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig + description: |- + ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. + Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. type: string + required: + - imageBuilderType type: object - x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? has(self.buildPod) : !has(self.buildPod)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed or Interrupted, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -236,11 +269,19 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Failed'') ? self == oldSelf : + true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf + : true' + finalImagePushspec: description: finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal @@ -251,8 +292,10 @@ spec: suffix, where '' is 64 hexadecimal characters long rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. + However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. @@ -260,29 +303,49 @@ spec: group: description: |- group of the referent. - This value should consist of only lowercase alphanumeric characters, hyphens and periods. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: "", "apps", "build.openshift.io", etc. - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' name: - description: name of the referent. + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 256 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: description: |- resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: "deployments", "deploymentconfigs", "pods", etc. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') required: - group - name @@ -297,6 +360,10 @@ spec: required: - buildStart type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + > timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 4f1b564cbca..83bf9b995d8 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -53,24 +53,29 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object baseOSExtensionsImagePullspec: description: |- baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -87,8 +92,8 @@ spec: baseOSImagePullspec: description: |- baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -105,34 +110,37 @@ spec: containerFile: description: |- containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles items: description: MachineOSContainerfile contains all custom content the user wants built into the image properties: containerfileArch: - default: noarch + default: NoArch description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture. enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 + - ARM64 + - AMD64 + - PPC64LE + - S390X + - AArch64 - x86_64 - - noarch + - NoArch type: string content: description: |- content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts: FROM configs AS final RUN rpm-ostree install tree && \ ostree container commit + maxLength: 4096 type: string required: - content @@ -144,50 +152,61 @@ spec: - containerfileArch x-kubernetes-list-type: map imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig + description: |- + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): JobImageBuilder properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder + Valid options are: JobImageBuilder enum: - - PodImageBuilder + - JobImageBuilder type: string + required: + - imageBuilderType type: object releaseVersion: description: |- releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. + This is used as a label in the Containerfile that builds the OS image. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' renderedImagePushSecret: description: |- renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -203,28 +222,35 @@ spec: required: - imageBuilder - renderedImagePushSecret - - renderedImagePushspec + - renderedImagePushSpec type: object buildOutputs: - description: buildOutputs holds all information needed to handle booting - the image after a build + description: |- + buildOutputs holds all information needed to handle booting the image after a build + This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry + is different than the one used for pushing the image to the registry during the build. properties: currentImagePullSecret: description: |- currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace + Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. + This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. properties: name: description: |- name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -233,10 +259,16 @@ spec: description: machineConfigPool is the pool which the build is for properties: name: - description: name of the MachineConfigPool object. + description: |- + name of the MachineConfigPool object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object @@ -247,66 +279,6 @@ spec: status: description: status describes the status of the machineosconfig properties: - conditions: - description: conditions are state related conditions for the config. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map currentImagePullspec: description: |- currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. @@ -323,11 +295,71 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + name: + description: |- + name of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + namespace: + description: |- + namespace of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of only lowercase alphanumeric characters and hyphens. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: observedGeneration represents the generation observed - by the Machine Config Operator's build controller. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards except to zero + rule: self >= oldSelf || (self == 0 && oldSelf > 0) required: - observedGeneration type: object diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 8ea3e91e827..cad7f6bbb9d 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -370,7 +370,8 @@ func (MachineOSBuild) SwaggerDoc() map[string]string { } var map_MachineOSBuildList = map[string]string{ - "": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "items": "items contains a collection of MachineOSBuild resources.", } func (MachineOSBuildList) SwaggerDoc() map[string]string { @@ -390,12 +391,12 @@ func (MachineOSBuildSpec) SwaggerDoc() map[string]string { var map_MachineOSBuildStatus = map[string]string{ "": "MachineOSBuildStatus describes the state of a build and other helpful information.", - "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", + "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded. Once a Build is marked as Failed or Interrupted, no future conditions can be set.", "builderReference": "BuilderReference describes which ImageBuilder backend to use for this build", - "relatedObjects": "relatedObjects is a list of objects that are related to the build process.", + "relatedObjects": "relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process.", "buildStart": "buildStart describes when the build started.", - "buildEnd": "buildEnd describes when the build ended.", - "finalImagePullspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long", + "buildEnd": "buildEnd describes when the build ended. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", + "finalImagePushspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long", } func (MachineOSBuildStatus) SwaggerDoc() map[string]string { @@ -404,8 +405,8 @@ func (MachineOSBuildStatus) SwaggerDoc() map[string]string { var map_MachineOSBuilderReference = map[string]string{ "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build", - "imageBuilderType": "ImageBuilderType describes the image builder set in the MachineOSConfig", - "buildPod": "relatedObjects is a list of objects that are related to the build process.", + "imageBuilderType": "ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image.", + "ImageBuilderRef": "ImageBuilderRef is a reference to the object that is managing the image build For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build", } func (MachineOSBuilderReference) SwaggerDoc() map[string]string { @@ -414,7 +415,7 @@ func (MachineOSBuilderReference) SwaggerDoc() map[string]string { var map_MachineOSConfigReference = map[string]string{ "": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", - "name": "name of the MachineOSConfig", + "name": "name of the MachineOSConfig. This value should consist of only lowercase alphanumeric characters and hyphens.", } func (MachineOSConfigReference) SwaggerDoc() map[string]string { @@ -423,10 +424,10 @@ func (MachineOSConfigReference) SwaggerDoc() map[string]string { var map_ObjectReference = map[string]string{ "": "ObjectReference contains enough information to let you inspect or modify the referred object.", - "group": "group of the referent. This value should consist of only lowercase alphanumeric characters, hyphens and periods. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + "group": "group of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: \"\", \"apps\", \"build.openshift.io\", etc.", "resource": "resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", - "namespace": "namespace of the referent.", - "name": "name of the referent.", + "namespace": "namespace of the referent. This value should consist of only lowercase alphanumeric characters and hyphens.", + "name": "name of the referent. This value should consist of only lowercase alphanumeric characters and hyphens.", } func (ObjectReference) SwaggerDoc() map[string]string { @@ -435,7 +436,7 @@ func (ObjectReference) SwaggerDoc() map[string]string { var map_RenderedMachineConfigReference = map[string]string{ "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", - "name": "name is the name of the rendered MachineConfig object.", + "name": "name is the name of the rendered MachineConfig object. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character", } func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { @@ -444,14 +445,14 @@ func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { var map_BuildInputs = map[string]string{ "": "BuildInputs holds all of the information needed to trigger a build", - "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", - "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", - "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", - "renderedImagePushspec": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - "releaseVersion": "releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", - "containerFile": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. you can specify up to 7 containerFiles", + "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. Must live in the openshift-machine-config-operator namespace if provided. Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret.", + "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): JobImageBuilder", + "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. The final image push and pull secrets should be separate and assume the principal of least privilege. The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. The pull secret with read only privileges is required on all nodes. By separating the two secrets, the risk of write credentials becoming compromised is reduced.", + "renderedImagePushSpec": "renderedImagePushSpec describes the location of the final image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "releaseVersion": "releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the Containerfile that builds the OS image.", + "containerFile": "containerFile describes the custom data the user has specified to build into the image. This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles", } func (BuildInputs) SwaggerDoc() map[string]string { @@ -460,7 +461,7 @@ func (BuildInputs) SwaggerDoc() map[string]string { var map_BuildOutputs = map[string]string{ "": "BuildOutputs holds all information needed to handle booting the image after a build", - "currentImagePullSecret": "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", + "currentImagePullSecret": "currentImagePullSecret is the secret used to pull the final produced image. Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", } func (BuildOutputs) SwaggerDoc() map[string]string { @@ -469,7 +470,7 @@ func (BuildOutputs) SwaggerDoc() map[string]string { var map_ImageSecretObjectReference = map[string]string{ "": "Refers to the name of an image registry push/pull secret needed in the build process.", - "name": "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", + "name": "name is the name of the secret used to push or pull this MachineOSConfig object. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. This secret must be in the openshift-machine-config-operator namespace.", } func (ImageSecretObjectReference) SwaggerDoc() map[string]string { @@ -478,7 +479,7 @@ func (ImageSecretObjectReference) SwaggerDoc() map[string]string { var map_MachineConfigPoolReference = map[string]string{ "": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", - "name": "name of the MachineConfigPool object.", + "name": "name of the MachineConfigPool object. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.", } func (MachineConfigPoolReference) SwaggerDoc() map[string]string { @@ -496,7 +497,8 @@ func (MachineOSConfig) SwaggerDoc() map[string]string { } var map_MachineOSConfigList = map[string]string{ - "": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "items": "items contains a collection of MachineOSConfig resources.", } func (MachineOSConfigList) SwaggerDoc() map[string]string { @@ -507,7 +509,7 @@ var map_MachineOSConfigSpec = map[string]string{ "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", "machineConfigPool": "machineConfigPool is the pool which the build is for", "buildInputs": "buildInputs is where user input options for the build live", - "buildOutputs": "buildOutputs holds all information needed to handle booting the image after a build", + "buildOutputs": "buildOutputs holds all information needed to handle booting the image after a build This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry is different than the one used for pushing the image to the registry during the build.", } func (MachineOSConfigSpec) SwaggerDoc() map[string]string { @@ -516,9 +518,9 @@ func (MachineOSConfigSpec) SwaggerDoc() map[string]string { var map_MachineOSConfigStatus = map[string]string{ "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", - "conditions": "conditions are state related conditions for the config.", - "observedGeneration": "observedGeneration represents the generation observed by the Machine Config Operator's build controller.", + "observedGeneration": "observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller.", "currentImagePullspec": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "machineOSBuild": "machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build", } func (MachineOSConfigStatus) SwaggerDoc() map[string]string { @@ -527,8 +529,8 @@ func (MachineOSConfigStatus) SwaggerDoc() map[string]string { var map_MachineOSContainerfile = map[string]string{ "": "MachineOSContainerfile contains all custom content the user wants built into the image", - "containerfileArch": "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", - "content": "content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. for example, this would add the tree package to your hosts:\n FROM configs AS final\n RUN rpm-ostree install tree && \\n ostree container commit", + "containerfileArch": "containerfileArch describes the architecture this containerfile is to be built for. This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", + "content": "content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts:\n FROM configs AS final\n RUN rpm-ostree install tree && \\n ostree container commit", } func (MachineOSContainerfile) SwaggerDoc() map[string]string { @@ -536,7 +538,7 @@ func (MachineOSContainerfile) SwaggerDoc() map[string]string { } var map_MachineOSImageBuilder = map[string]string{ - "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", + "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: JobImageBuilder", } func (MachineOSImageBuilder) SwaggerDoc() map[string]string { diff --git a/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 30484df888a..05d3fe1628f 100644 --- a/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1alpha1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -113,22 +113,4 @@ tests: buildOutputs: currentImagePullSecret: name: foo - expected: | - apiVersion: machineconfiguration.openshift.io/v1alpha1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: PodImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/cdoern/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo + expectedError: "Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" diff --git a/machineconfiguration/v1alpha1/types_machineosconfig.go b/machineconfiguration/v1alpha1/types_machineosconfig.go index 01082e09102..35863517a54 100644 --- a/machineconfiguration/v1alpha1/types_machineosconfig.go +++ b/machineconfiguration/v1alpha1/types_machineosconfig.go @@ -104,10 +104,9 @@ type BuildInputs struct { // +optional BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` // baseImagePullSecret is the secret used to pull the base image. - // must live in the openshift-machine-config-operator namespace if provided. - // defaults to using the cluster-wide pull secret if not specified. - // +optional - BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` + // must live in the openshift-machine-config-operator namespace + // +kubebuilder:validation:Required + BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret"` // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig // +kubebuilder:validation:Required ImageBuilder *MachineOSImageBuilder `json:"imageBuilder"` diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 4962430502d..aadee09ccc7 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index c548f9ec659..e2560073c6e 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 431689f7b32..95fcd5c5672 100644 --- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 77520f59dca..6c45f35a077 100644 --- a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go index c765089afcf..a51ffee1426 100644 --- a/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go @@ -190,7 +190,7 @@ var map_BuildInputs = map[string]string{ "": "BuildInputs holds all of the information needed to trigger a build", "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", "renderedImagePushspec": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 27d7cb10fc8..a2430334b66 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -38801,7 +38801,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.R }, "baseImagePullSecret": { SchemaProps: spec.SchemaProps{ - Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", + Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), }, @@ -38859,7 +38859,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.R }, }, }, - Required: []string{"imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, + Required: []string{"baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, }, }, Dependencies: []string{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 78cd94cbdf3..33384de2a3c 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -22393,13 +22393,14 @@ "description": "BuildInputs holds all of the information needed to trigger a build", "type": "object", "required": [ + "baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec" ], "properties": { "baseImagePullSecret": { - "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace if provided. defaults to using the cluster-wide pull secret if not specified.", + "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", "default": {}, "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" }, diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 4962430502d..aadee09ccc7 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index c548f9ec659..e2560073c6e 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 431689f7b32..95fcd5c5672 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -53,8 +53,7 @@ spec: baseImagePullSecret: description: |- baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace if provided. - defaults to using the cluster-wide pull secret if not specified. + must live in the openshift-machine-config-operator namespace properties: name: description: |- @@ -196,6 +195,7 @@ spec: rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: + - baseImagePullSecret - imageBuilder - renderedImagePushSecret - renderedImagePushspec From 8f073d7544e319201967f209f78cf71840af88bd Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Mon, 2 Dec 2024 21:14:03 -0500 Subject: [PATCH 6/7] Additional MOSC/MOSB updates Mostly fixes around validation and godocs. Added some additional test cases. --- .../OnClusterBuild.yaml | 167 ++++++--- .../OnClusterBuild.yaml | 343 +++++++++--------- .../v1/types_machineosbuild.go | 70 ++-- .../v1/types_machineosconfig.go | 54 +-- ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 119 +++--- ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 119 +++--- ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 119 +++--- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 44 ++- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 44 ++- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 44 ++- .../v1/zz_generated.deepcopy.go | 12 +- .../OnClusterBuild.yaml | 119 +++--- .../OnClusterBuild.yaml | 44 ++- .../v1/zz_generated.swagger_doc_generated.go | 44 +-- 14 files changed, 756 insertions(+), 586 deletions(-) diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index 0dfdd6697ff..fe16cab2980 100644 --- a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -4,44 +4,129 @@ crdName: machineosbuilds.machineconfiguration.openshift.io featureGate: OnClusterBuild tests: onCreate: - - name: Should be able to create a minimal MachineOSBuild - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSBuild - metadata: - name: foobar - spec: - desiredConfig: - name: rendered-worker-abcd - machineOSConfig: - name: worker - renderedImagePushspec: quay.io/mco/renderedImage:latest - expected: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSBuild - metadata: - name: foobar - spec: - desiredConfig: - name: rendered-worker-abcd - machineOSConfig: - name: worker - renderedImagePushspec: quay.io/mco/renderedImage:latest - onCreate: - - name: Fail on invalid buildEnd time - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSBuild - metadata: - name: foobar - spec: - desiredConfig: - name: rendered-worker-abcd - machineOSConfig: - name: worker - renderedImagePushspec: quay.io/mco/renderedImage:latest - status: - buildStart: 2024-11-28T10:00:00Z - buildEnd: 2024-11-28T09:00:00Z - expectedError: "Invalid value: \"string\": buildEnd must be after buildStart" - + - name: Should be able to create a minimal MachineOSBuild + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + - name: Fail on invalid buildEnd time + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + buildStart: 2024-11-28T10:00:00Z + buildEnd: 2024-11-28T09:00:00Z + expectedError: "status.BuildEnd: Invalid value: \"string\": buildEnd must be after buildStart" + onUpdate: + - name: Failed builds cannot change status + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + conditions: + - type: Failed + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + conditions: + - type: Failed + status: "False" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + expectedError: "status.conditions[0].status: Invalid value: \"string\": once a Failed condition is set, conditions are immutable" + - name: Interrupted builds cannot change status + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + conditions: + - type: Interrupted + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + desiredConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + conditions: + - type: Succeeded + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + expectedError: "status.conditions[0].status: Invalid value: \"string\": once an Interrupted condition is set, conditions are immutable" diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index fabe3409437..658d9885be0 100644 --- a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -4,175 +4,174 @@ crdName: machineosconfigs.machineconfiguration.openshift.io featureGate: OnClusterBuild tests: onCreate: - - name: Should be able to create a minimal MachineOSConfig - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo - expected: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo - onCreate: - - name: Should be able to create a MachineOSConfig with a renderedImagePushspec that contains a port - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: registry.test.example.local:5000/test/custom-os-image:v0.1 - buildOutputs: - currentImagePullSecret: - name: foo - expected: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: registry.test.example.local:5000/test/custom-os-image:v0.1 - buildOutputs: - currentImagePullSecret: - name: foo - - name: Fail on invalid rendered image pushspec - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: foo.bar - buildOutputs: - currentImagePullSecret: - name: foo - expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - - name: Fail on invalid base image pullspec - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: foo.bar - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo - expectedError: "Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - - name: Allows for an empty pull secret - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo - expected: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: JobImageBuilder - baseOSImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseOSExtensionsImagePullspec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushspec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo + - name: Should be able to create a minimal MachineOSConfig + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + - name: Should be able to create a MachineOSConfig with a renderedImagePushSpec that contains a port + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 + buildOutputs: + currentImagePullSecret: + name: foo + - name: Fail on invalid rendered image pushspec + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: foo.bar + buildOutputs: + currentImagePullSecret: + name: foo + expectedError: "spec.buildInputs.renderedImagePushSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + - name: Fail on invalid base image pullspec + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: foo.bar + baseImagePullSecret: + name: foo + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expectedError: "spec.buildInputs.baseOSImagePullSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + - name: Allows for an empty pull secret + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + buildInputs: + imageBuilder: + imageBuilderType: Job + baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + buildOutputs: + currentImagePullSecret: + name: foo diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go index d12978f4b83..7b17f485176 100644 --- a/machineconfiguration/v1/types_machineosbuild.go +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -32,10 +32,9 @@ type MachineOSBuild struct { // +kubebuilder:validation:Required Spec MachineOSBuildSpec `json:"spec"` - // status describes the lst observed state of this machine os build - // +kubebuilder:validation:XValidation:rule="self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) > timestamp(self.buildEnd)",message="buildEnd must be after buildStart" + // status describes the last observed state of this machine os build // +optional - Status MachineOSBuildStatus `json:"status"` + Status *MachineOSBuildStatus `json:"status"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -54,23 +53,22 @@ type MachineOSBuildList struct { // MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object. type MachineOSBuildSpec struct { - // desiredConfig is the desired config we want to build an image for. + // desiredConfig points to the rendered MachineConfig resource to be included in this image build. // +kubebuilder:validation:Required DesiredConfig RenderedMachineConfigReference `json:"desiredConfig"` - // machineOSConfig is the config object which the build is based off of + // machineOSConfig references the MachineOSConfig resource that this image build extends. // +kubebuilder:validation:Required MachineOSConfig MachineOSConfigReference `json:"machineOSConfig"` - // renderedImagePushspec is set from the MachineOSConfig + // renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + // This field describes the location of the final image, which will be pushed by the build once complete. // The format of the image pullspec is: // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +kubebuilder:validation:Required - RenderedImagePushspec string `json:"renderedImagePushspec"` + RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` } // MachineOSBuildStatus describes the state of a build and other helpful information. +// +kubebuilder:validation:XValidation:rule="has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd)",message="buildEnd must be after buildStart" type MachineOSBuildStatus struct { // conditions are state related conditions for the build. Valid types are: // Prepared, Building, Failed, Interrupted, and Succeeded. @@ -84,9 +82,9 @@ type MachineOSBuildStatus struct { // +kubebuilder:validation:XValidation:rule="self.exists(x, x.type == 'Interrupted') ? self == oldSelf : true",message="once an Interrupted condition is set, conditions are immutable" // +optional Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` - // BuilderReference describes which ImageBuilder backend to use for this build - // +optional - BuilderReference *MachineOSBuilderReference `json:"builderReference"` + // builder describes the image builder backend used for this build. + // +kubebuilder:validation:Required + Builder MachineOSBuilderReference `json:"builder"` // relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. // After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. // However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. @@ -95,31 +93,32 @@ type MachineOSBuildStatus struct { // +listMapKey=name // +listMapKey=resource RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"` - // buildStart describes when the build started. + // buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildStart is immutable once set" // +kubebuilder:validation:Required BuildStart metav1.Time `json:"buildStart"` - // buildEnd describes when the build ended. + // buildEnd is the timestamp corresponding to completion of the builder backend. // When omitted the build has either not been started, or is in progress. // It will be populated once the build completes, fails or is interrupted. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" // +optional BuildEnd *metav1.Time `json:"buildEnd,omitempty"` - // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long - // +kubebuilder:validation:XValidation:rule=`((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long" + // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. + // Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. // +optional - FinalImagePushspec string `json:"finalImagePushspec,omitempty"` + FinalImagePushSpec ImageDigestFormat `json:"finalImagePushSpec,omitempty"` } // MachineOSBuilderReference describes which ImageBuilder backend to use for this build type MachineOSBuilderReference struct { - // ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. - // Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + // imageBuilderType describes the type of image builder used to build this image. + // Valid values are Job only. + // When set to Job, a pod based builder, using buildah, is launched to build the specified image. // +kubebuilder:validation:Required ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` // ImageBuilderRef is a reference to the object that is managing the image build - // For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build + // For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build // +optional ImageBuilderRef *ObjectReference `json:"ImageBuilderRef,omitempty"` } @@ -145,8 +144,9 @@ const ( // the build targets this MachineConfig, this is often used to tell us whether we need an update. type RenderedMachineConfigReference struct { // name is the name of the rendered MachineConfig object. - // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character - // +kubebuilder:validation:MaxLength:=10 + // This value should be between 10 and 253 characters, and must contain only lowercase + // alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + // +kubebuilder:validation:MinLength:=10 // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:Required @@ -156,32 +156,34 @@ type RenderedMachineConfigReference struct { // ObjectReference contains enough information to let you inspect or modify the referred object. type ObjectReference struct { // group of the referent. - // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. // Example: "", "apps", "build.openshift.io", etc. // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:Required Group string `json:"group"` // resource of the referent. - // This value should consist of only lowercase alphanumeric characters and hyphens. + // This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + // and should start and end with an alphanumeric character. // Example: "deployments", "deploymentconfigs", "pods", etc. // +kubebuilder:validation:Required - // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // +kubebuilder:validation:XValidation:rule=`!format.dns1123Label().validate(self).hasValue()`,message="the value must consist of only lowercase alphanumeric characters and hyphens" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 Resource string `json:"resource"` // namespace of the referent. - // This value should consist of only lowercase alphanumeric characters and hyphens. - // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + // and should start and end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule=`!format.dns1123Label().validate(self).hasValue()`,message="the value must consist of only lowercase alphanumeric characters and hyphens" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +optional Namespace string `json:"namespace,omitempty"` // name of the referent. - // This value should consist of only lowercase alphanumeric characters and hyphens. - // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:MaxLength=253 // +kubebuilder:validation:Required Name string `json:"name"` } @@ -189,10 +191,10 @@ type ObjectReference struct { // MachineOSConfigReference refers to the MachineOSConfig this build is based off of type MachineOSConfigReference struct { // name of the MachineOSConfig. - // This value should consist of only lowercase alphanumeric characters and hyphens. - // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:MaxLength=253 // +kubebuilder:validation:Required Name string `json:"name"` } diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go index f7fc324a7a1..f0fb0c0703f 100644 --- a/machineconfiguration/v1/types_machineosconfig.go +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -67,16 +67,12 @@ type MachineOSConfigStatus struct { // +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Required ObservedGeneration int64 `json:"observedGeneration,omitempty"` - // currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + // currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" - // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" // +optional - CurrentImagePullspec string `json:"currentImagePullspec,omitempty"` + CurrentImagePullSpec ImageDigestFormat `json:"currentImagePullSpec,omitempty"` // machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build // +optional MachineOSBuild *ObjectReference `json:"machineOSBuild,omitempty"` @@ -84,37 +80,29 @@ type MachineOSConfigStatus struct { // BuildInputs holds all of the information needed to trigger a build type BuildInputs struct { - // baseOSExtensionsImagePullspec is the base Extensions image used in the build process + // baseOSExtensionsImagePullSpec is the base Extensions image used in the build process // The MachineOSConfig object will use the in cluster image registry configuration. // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" - // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" // +optional - BaseOSExtensionsImagePullspec string `json:"baseOSExtensionsImagePullspec,omitempty"` - // baseOSImagePullspec is the base OSImage we use to build our custom image. + BaseOSExtensionsImagePullSpec ImageDigestFormat `json:"baseOSExtensionsImagePullSpec,omitempty"` + // baseOSImagePullSpec is the base OSImage we use to build our custom image. // The MachineOSConfig object will use the in cluster image registry configuration. // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. // The format of the image pullspec is: // host[:port][/namespace]/name@sha256: // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" - // +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" // +optional - BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` + BaseOSImagePullSpec ImageDigestFormat `json:"baseOSImagePullSpec,omitempty"` // baseImagePullSecret is the secret used to pull the base image. // Must live in the openshift-machine-config-operator namespace if provided. // Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. // +optional BaseImagePullSecret *ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - // Currently supported type(s): JobImageBuilder + // Currently supported type(s): Job // +kubebuilder:validation:Required ImageBuilder MachineOSImageBuilder `json:"imageBuilder"` // renderedImagePushSecret is the secret used to connect to a user registry. @@ -129,11 +117,8 @@ type BuildInputs struct { // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. // The format of the image pushspec is: // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +kubebuilder:validation:Required - RenderedImagePushSpec string `json:"renderedImagePushSpec"` + RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` // releaseVersion is an Openshift release version which the base OS image is associated with. // This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. // It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. @@ -170,8 +155,8 @@ type BuildOutputs struct { type MachineOSImageBuilder struct { // imageBuilderType specifies the backend to be used to build the image. - // +kubebuilder:validation:Enum:=JobImageBuilder - // Valid options are: JobImageBuilder + // +kubebuilder:validation:Enum:=Job + // Valid options are: Job // +required ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` } @@ -220,7 +205,8 @@ const ( // the MachineOSBuilder pod validates that the user has provided a valid pool type MachineConfigPoolReference struct { // name of the MachineConfigPool object. - // Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + // This value should be at most 253 characters, and must contain only lowercase + // alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:Required @@ -238,10 +224,24 @@ type ImageSecretObjectReference struct { Name string `json:"name"` } +// ImageTagFormat is a type that conforms to the format host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=447 +// +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." +type ImageTagFormat string + +// ImageDigestFormat is a type that conforms to the format host[:port][/namespace]/name@sha256: +// The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=447 +// +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" +// +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" +type ImageDigestFormat string + // +enum type MachineOSImageBuilderType string const ( // describes that the machine-os-builder will use a Job to spin up a custom pod builder that uses buildah - JobBuilder MachineOSImageBuilderType = "JobImageBuilder" + JobBuilder MachineOSImageBuilderType = "Job" ) diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml index b767598a7af..5a70745fde9 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -63,14 +63,16 @@ spec: description: spec describes the configuration of the machine os build properties: desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + description: desiredConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: description: |- name is the name of the rendered MachineConfig object. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 + minLength: 10 type: string x-kubernetes-validations: - message: a lowercase RFC 1123 subdomain must consist of lower @@ -81,26 +83,28 @@ spec: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: description: |- name of the MachineOSConfig. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -116,18 +120,18 @@ spec: required: - desiredConfig - machineOSConfig - - renderedImagePushspec + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build properties: buildEnd: description: |- - buildEnd describes when the build ended. + buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted. format: date-time @@ -136,25 +140,26 @@ spec: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: BuilderReference describes which ImageBuilder backend - to use for this build + builder: + description: builder describes the image builder backend used for + this build. properties: ImageBuilderRef: description: |- ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build + For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -166,29 +171,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -196,7 +204,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -204,8 +212,9 @@ spec: type: object imageBuilderType: description: |- - ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. - Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. type: string required: - imageBuilderType @@ -281,16 +290,20 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must end with - a valid '@sha256:' suffix, where '' is 64 hexadecimal - characters long + finalImagePushSpec: + description: |- + finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. + Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 hexadecimal characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: description: |- relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. @@ -303,7 +316,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +328,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +361,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -359,10 +375,11 @@ spec: x-kubernetes-list-type: map required: - buildStart + - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart - rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd) required: - spec diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml index c9e9728bae3..2ecf9ea6e6e 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -63,14 +63,16 @@ spec: description: spec describes the configuration of the machine os build properties: desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + description: desiredConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: description: |- name is the name of the rendered MachineConfig object. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 + minLength: 10 type: string x-kubernetes-validations: - message: a lowercase RFC 1123 subdomain must consist of lower @@ -81,26 +83,28 @@ spec: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: description: |- name of the MachineOSConfig. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -116,18 +120,18 @@ spec: required: - desiredConfig - machineOSConfig - - renderedImagePushspec + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build properties: buildEnd: description: |- - buildEnd describes when the build ended. + buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted. format: date-time @@ -136,25 +140,26 @@ spec: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: BuilderReference describes which ImageBuilder backend - to use for this build + builder: + description: builder describes the image builder backend used for + this build. properties: ImageBuilderRef: description: |- ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build + For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -166,29 +171,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -196,7 +204,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -204,8 +212,9 @@ spec: type: object imageBuilderType: description: |- - ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. - Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. type: string required: - imageBuilderType @@ -281,16 +290,20 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must end with - a valid '@sha256:' suffix, where '' is 64 hexadecimal - characters long + finalImagePushSpec: + description: |- + finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. + Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 hexadecimal characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: description: |- relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. @@ -303,7 +316,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +328,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +361,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -359,10 +375,11 @@ spec: x-kubernetes-list-type: map required: - buildStart + - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart - rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd) required: - spec diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml index 42835d4db79..33444f0629d 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -63,14 +63,16 @@ spec: description: spec describes the configuration of the machine os build properties: desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + description: desiredConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: description: |- name is the name of the rendered MachineConfig object. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 + minLength: 10 type: string x-kubernetes-validations: - message: a lowercase RFC 1123 subdomain must consist of lower @@ -81,26 +83,28 @@ spec: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: description: |- name of the MachineOSConfig. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -116,18 +120,18 @@ spec: required: - desiredConfig - machineOSConfig - - renderedImagePushspec + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build properties: buildEnd: description: |- - buildEnd describes when the build ended. + buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted. format: date-time @@ -136,25 +140,26 @@ spec: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: BuilderReference describes which ImageBuilder backend - to use for this build + builder: + description: builder describes the image builder backend used for + this build. properties: ImageBuilderRef: description: |- ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build + For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -166,29 +171,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -196,7 +204,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -204,8 +212,9 @@ spec: type: object imageBuilderType: description: |- - ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. - Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. type: string required: - imageBuilderType @@ -281,16 +290,20 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must end with - a valid '@sha256:' suffix, where '' is 64 hexadecimal - characters long + finalImagePushSpec: + description: |- + finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. + Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 hexadecimal characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: description: |- relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. @@ -303,7 +316,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +328,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +361,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -359,10 +375,11 @@ spec: x-kubernetes-list-type: map required: - buildStart + - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart - rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd) required: - spec diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 7b342ebc202..052c23a1bf0 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -71,9 +71,9 @@ spec: required: - name type: object - baseOSExtensionsImagePullspec: + baseOSExtensionsImagePullSpec: description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process + baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -89,9 +89,9 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + baseOSImagePullSpec: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. + baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -154,14 +154,14 @@ spec: imageBuilder: description: |- machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): JobImageBuilder + Currently supported type(s): Job properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: JobImageBuilder + Valid options are: Job enum: - - JobImageBuilder + - Job type: string required: - imageBuilderType @@ -261,7 +261,8 @@ spec: name: description: |- name of the MachineConfigPool object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 type: string x-kubernetes-validations: @@ -279,9 +280,9 @@ spec: status: description: status describes the status of the machineosconfig properties: - currentImagePullspec: + currentImagePullSpec: description: |- - currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -303,7 +304,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +316,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +349,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index 2a7eed90e9c..7be84075dfb 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -71,9 +71,9 @@ spec: required: - name type: object - baseOSExtensionsImagePullspec: + baseOSExtensionsImagePullSpec: description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process + baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -89,9 +89,9 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + baseOSImagePullSpec: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. + baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -154,14 +154,14 @@ spec: imageBuilder: description: |- machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): JobImageBuilder + Currently supported type(s): Job properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: JobImageBuilder + Valid options are: Job enum: - - JobImageBuilder + - Job type: string required: - imageBuilderType @@ -261,7 +261,8 @@ spec: name: description: |- name of the MachineConfigPool object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 type: string x-kubernetes-validations: @@ -279,9 +280,9 @@ spec: status: description: status describes the status of the machineosconfig properties: - currentImagePullspec: + currentImagePullSpec: description: |- - currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -303,7 +304,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +316,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +349,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index b7088cf0e93..ebf28f6f39a 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -71,9 +71,9 @@ spec: required: - name type: object - baseOSExtensionsImagePullspec: + baseOSExtensionsImagePullSpec: description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process + baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -89,9 +89,9 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + baseOSImagePullSpec: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. + baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -154,14 +154,14 @@ spec: imageBuilder: description: |- machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): JobImageBuilder + Currently supported type(s): Job properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: JobImageBuilder + Valid options are: Job enum: - - JobImageBuilder + - Job type: string required: - imageBuilderType @@ -261,7 +261,8 @@ spec: name: description: |- name of the MachineConfigPool object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 type: string x-kubernetes-validations: @@ -279,9 +280,9 @@ spec: status: description: status describes the status of the machineosconfig properties: - currentImagePullspec: + currentImagePullSpec: description: |- - currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -303,7 +304,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +316,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +349,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index 59637cc93ef..dbf0c5975f6 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -920,7 +920,11 @@ func (in *MachineOSBuild) DeepCopyInto(out *MachineOSBuild) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) out.Spec = in.Spec - in.Status.DeepCopyInto(&out.Status) + if in.Status != nil { + in, out := &in.Status, &out.Status + *out = new(MachineOSBuildStatus) + (*in).DeepCopyInto(*out) + } return } @@ -1003,11 +1007,7 @@ func (in *MachineOSBuildStatus) DeepCopyInto(out *MachineOSBuildStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.BuilderReference != nil { - in, out := &in.BuilderReference, &out.BuilderReference - *out = new(MachineOSBuilderReference) - (*in).DeepCopyInto(*out) - } + in.Builder.DeepCopyInto(&out.Builder) if in.RelatedObjects != nil { in, out := &in.RelatedObjects, &out.RelatedObjects *out = make([]ObjectReference, len(*in)) diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index 759e9d3108e..df15028eb65 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -63,14 +63,16 @@ spec: description: spec describes the configuration of the machine os build properties: desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + description: desiredConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: description: |- name is the name of the rendered MachineConfig object. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 + minLength: 10 type: string x-kubernetes-validations: - message: a lowercase RFC 1123 subdomain must consist of lower @@ -81,26 +83,28 @@ spec: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: description: |- name of the MachineOSConfig. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: maxLength: 447 @@ -116,18 +120,18 @@ spec: required: - desiredConfig - machineOSConfig - - renderedImagePushspec + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build properties: buildEnd: description: |- - buildEnd describes when the build ended. + buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted. format: date-time @@ -136,25 +140,26 @@ spec: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: BuilderReference describes which ImageBuilder backend - to use for this build + builder: + description: builder describes the image builder backend used for + this build. properties: ImageBuilderRef: description: |- ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build + For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build properties: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -166,29 +171,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -196,7 +204,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -204,8 +212,9 @@ spec: type: object imageBuilderType: description: |- - ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. - Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image. + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. type: string required: - imageBuilderType @@ -281,16 +290,20 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must end with - a valid '@sha256:' suffix, where '' is 64 hexadecimal - characters long + finalImagePushSpec: + description: |- + finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. + Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 hexadecimal characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: description: |- relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. @@ -303,7 +316,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +328,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +361,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name @@ -359,10 +375,11 @@ spec: x-kubernetes-list-type: map required: - buildStart + - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart - rule: self.buildStart != null && self.buildEnd != null && timestamp(self.buildStart) + rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd) required: - spec diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 83bf9b995d8..22fea0126a1 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -71,9 +71,9 @@ spec: required: - name type: object - baseOSExtensionsImagePullspec: + baseOSExtensionsImagePullSpec: description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process + baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -89,9 +89,9 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + baseOSImagePullSpec: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. + baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: @@ -154,14 +154,14 @@ spec: imageBuilder: description: |- machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): JobImageBuilder + Currently supported type(s): Job properties: imageBuilderType: description: |- imageBuilderType specifies the backend to be used to build the image. - Valid options are: JobImageBuilder + Valid options are: Job enum: - - JobImageBuilder + - Job type: string required: - imageBuilderType @@ -261,7 +261,8 @@ spec: name: description: |- name of the MachineConfigPool object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 type: string x-kubernetes-validations: @@ -279,9 +280,9 @@ spec: status: description: status describes the status of the machineosconfig properties: - currentImagePullspec: + currentImagePullSpec: description: |- - currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. @@ -303,7 +304,7 @@ spec: group: description: |- group of the referent. - The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: "", "apps", "build.openshift.io", etc. maxLength: 253 type: string @@ -315,29 +316,32 @@ spec: name: description: |- name of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. - maxLength: 256 + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' namespace: description: |- namespace of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' resource: description: |- resource of the referent. - This value should consist of only lowercase alphanumeric characters and hyphens. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 @@ -345,7 +349,7 @@ spec: x-kubernetes-validations: - message: the value must consist of only lowercase alphanumeric characters and hyphens - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + rule: '!format.dns1123Label().validate(self).hasValue()' required: - group - name diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index cad7f6bbb9d..8f965a6d088 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -362,7 +362,7 @@ func (PoolSynchronizerStatus) SwaggerDoc() map[string]string { var map_MachineOSBuild = map[string]string{ "": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "spec": "spec describes the configuration of the machine os build", - "status": "status describes the lst observed state of this machine os build", + "status": "status describes the last observed state of this machine os build", } func (MachineOSBuild) SwaggerDoc() map[string]string { @@ -380,9 +380,9 @@ func (MachineOSBuildList) SwaggerDoc() map[string]string { var map_MachineOSBuildSpec = map[string]string{ "": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", - "desiredConfig": "desiredConfig is the desired config we want to build an image for.", - "machineOSConfig": "machineOSConfig is the config object which the build is based off of", - "renderedImagePushspec": "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "desiredConfig": "desiredConfig points to the rendered MachineConfig resource to be included in this image build.", + "machineOSConfig": "machineOSConfig references the MachineOSConfig resource that this image build extends.", + "renderedImagePushSpec": "renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", } func (MachineOSBuildSpec) SwaggerDoc() map[string]string { @@ -392,11 +392,11 @@ func (MachineOSBuildSpec) SwaggerDoc() map[string]string { var map_MachineOSBuildStatus = map[string]string{ "": "MachineOSBuildStatus describes the state of a build and other helpful information.", "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded. Once a Build is marked as Failed or Interrupted, no future conditions can be set.", - "builderReference": "BuilderReference describes which ImageBuilder backend to use for this build", + "builder": "builder describes the image builder backend used for this build.", "relatedObjects": "relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process.", - "buildStart": "buildStart describes when the build started.", - "buildEnd": "buildEnd describes when the build ended. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", - "finalImagePushspec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long", + "buildStart": "buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild.", + "buildEnd": "buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", + "finalImagePushSpec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long.", } func (MachineOSBuildStatus) SwaggerDoc() map[string]string { @@ -405,8 +405,8 @@ func (MachineOSBuildStatus) SwaggerDoc() map[string]string { var map_MachineOSBuilderReference = map[string]string{ "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build", - "imageBuilderType": "ImageBuilderType describes the image builder set in the MachineOSConfig, which in turn describes the builder that the cluster will attempt the build with. Currently only JobImageBuilder is supported, which will spin up a custom pod builder that uses buildah to build the specified image.", - "ImageBuilderRef": "ImageBuilderRef is a reference to the object that is managing the image build For example, if the imageBuilderType is JobImageBuilder, this will be a reference to the Job object managing the build", + "imageBuilderType": "imageBuilderType describes the type of image builder used to build this image. Valid values are Job only. When set to Job, a pod based builder, using buildah, is launched to build the specified image.", + "ImageBuilderRef": "ImageBuilderRef is a reference to the object that is managing the image build For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build", } func (MachineOSBuilderReference) SwaggerDoc() map[string]string { @@ -415,7 +415,7 @@ func (MachineOSBuilderReference) SwaggerDoc() map[string]string { var map_MachineOSConfigReference = map[string]string{ "": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", - "name": "name of the MachineOSConfig. This value should consist of only lowercase alphanumeric characters and hyphens.", + "name": "name of the MachineOSConfig. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character.", } func (MachineOSConfigReference) SwaggerDoc() map[string]string { @@ -424,10 +424,10 @@ func (MachineOSConfigReference) SwaggerDoc() map[string]string { var map_ObjectReference = map[string]string{ "": "ObjectReference contains enough information to let you inspect or modify the referred object.", - "group": "group of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character Example: \"\", \"apps\", \"build.openshift.io\", etc.", - "resource": "resource of the referent. This value should consist of only lowercase alphanumeric characters and hyphens. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", - "namespace": "namespace of the referent. This value should consist of only lowercase alphanumeric characters and hyphens.", - "name": "name of the referent. This value should consist of only lowercase alphanumeric characters and hyphens.", + "group": "group of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + "resource": "resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", + "namespace": "namespace of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start and end with an alphanumeric character.", + "name": "name of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character.", } func (ObjectReference) SwaggerDoc() map[string]string { @@ -436,7 +436,7 @@ func (ObjectReference) SwaggerDoc() map[string]string { var map_RenderedMachineConfigReference = map[string]string{ "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", - "name": "name is the name of the rendered MachineConfig object. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character", + "name": "name is the name of the rendered MachineConfig object. This value should be between 10 and 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", } func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { @@ -445,10 +445,10 @@ func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { var map_BuildInputs = map[string]string{ "": "BuildInputs holds all of the information needed to trigger a build", - "baseOSExtensionsImagePullspec": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "baseOSImagePullspec": "baseOSImagePullspec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "baseOSExtensionsImagePullSpec": "baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "baseOSImagePullSpec": "baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. Must live in the openshift-machine-config-operator namespace if provided. Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret.", - "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): JobImageBuilder", + "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): Job", "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. The final image push and pull secrets should be separate and assume the principal of least privilege. The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. The pull secret with read only privileges is required on all nodes. By separating the two secrets, the risk of write credentials becoming compromised is reduced.", "renderedImagePushSpec": "renderedImagePushSpec describes the location of the final image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", "releaseVersion": "releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the Containerfile that builds the OS image.", @@ -479,7 +479,7 @@ func (ImageSecretObjectReference) SwaggerDoc() map[string]string { var map_MachineConfigPoolReference = map[string]string{ "": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", - "name": "name of the MachineConfigPool object. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.", + "name": "name of the MachineConfigPool object. This value should be at most 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", } func (MachineConfigPoolReference) SwaggerDoc() map[string]string { @@ -519,7 +519,7 @@ func (MachineOSConfigSpec) SwaggerDoc() map[string]string { var map_MachineOSConfigStatus = map[string]string{ "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", "observedGeneration": "observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller.", - "currentImagePullspec": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", + "currentImagePullSpec": "currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", "machineOSBuild": "machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build", } @@ -538,7 +538,7 @@ func (MachineOSContainerfile) SwaggerDoc() map[string]string { } var map_MachineOSImageBuilder = map[string]string{ - "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: JobImageBuilder", + "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: Job", } func (MachineOSImageBuilder) SwaggerDoc() map[string]string { From 380c9289b939f62e78755f8a60616c4b440874e3 Mon Sep 17 00:00:00 2001 From: Yu Qi Zhang Date: Tue, 3 Dec 2024 18:30:41 -0500 Subject: [PATCH 7/7] Further MOSC/MOSB updates: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed BuildOutputs and the CurrentImagePullSecret field (not really needed at this time, we’d prefer if the user would put any additional pull secrets into the cluster-wide object) - Removed BuildInputs and lifted all fields to spec, removing: - ReleaseVersion - BaseOSImagePullSpec - BaseOSExtensionsImagePullSpec Which will be populated directly from the MCO instead. We will consider re-adding those if there is a need for on cluster pre-builds off new release images in the future. - Renamed finalImagePushSpec to digestedImagePushSpec - Switched MachineOSBuilderReference back to an union, and renamed the job object unionmember to just “job” - Changed “desiredConfig” to “MachineConfig” for clarity - Kept ObservedGeneration, but updated the validation, and will fix on the MCO side - Removed duplicate arch types, and updated containerfiles to allow at most 1 per arch (minus noarch) --- .../OnClusterBuild.yaml | 60 ++- .../OnClusterBuild.yaml | 139 ++----- .../v1/types_machineosbuild.go | 39 +- .../v1/types_machineosconfig.go | 115 ++---- ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 46 ++- ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 46 ++- ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 46 ++- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 376 ++++++++---------- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 376 ++++++++---------- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 376 ++++++++---------- .../v1/zz_generated.deepcopy.go | 121 +++--- .../OnClusterBuild.yaml | 46 ++- .../OnClusterBuild.yaml | 376 ++++++++---------- .../v1/zz_generated.swagger_doc_generated.go | 79 ++-- 14 files changed, 1013 insertions(+), 1228 deletions(-) diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index fe16cab2980..bfe3c0fcff4 100644 --- a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -11,7 +11,7 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker @@ -22,7 +22,7 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker @@ -34,17 +34,38 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker renderedImagePushSpec: quay.io/mco/renderedImage:latest status: - builder: + builder: imageBuilderType: Job + job: + group: batch + resource: job + namespace: openshift-machine-config-operator + name: buildjob buildStart: 2024-11-28T10:00:00Z buildEnd: 2024-11-28T09:00:00Z expectedError: "status.BuildEnd: Invalid value: \"string\": buildEnd must be after buildStart" + - name: Job imagebuilder type must have job reference + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + expectedError: "status.builder.job: Invalid value: \"object\": job is required when imageBuilderType is Job, and forbidden otherwise" onUpdate: - name: Failed builds cannot change status initial: | @@ -53,7 +74,7 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker @@ -61,6 +82,11 @@ tests: status: builder: imageBuilderType: Job + job: + group: batch + resource: job + namespace: openshift-machine-config-operator + name: buildjob conditions: - type: Failed status: "True" @@ -73,14 +99,18 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker renderedImagePushSpec: quay.io/mco/renderedImage:latest status: - builder: - imageBuilderType: Job + imageBuilderType: Job + job: + group: batch + resource: job + namespace: openshift-machine-config-operator + name: buildjob conditions: - type: Failed status: "False" @@ -95,7 +125,7 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker @@ -103,6 +133,11 @@ tests: status: builder: imageBuilderType: Job + job: + group: batch + resource: job + namespace: openshift-machine-config-operator + name: buildjob conditions: - type: Interrupted status: "True" @@ -115,7 +150,7 @@ tests: metadata: name: foobar spec: - desiredConfig: + machineConfig: name: rendered-worker-abcd machineOSConfig: name: worker @@ -123,6 +158,11 @@ tests: status: builder: imageBuilderType: Job + job: + group: batch + resource: job + namespace: openshift-machine-config-operator + name: buildjob conditions: - type: Succeeded status: "True" diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 658d9885be0..adb8310ffa1 100644 --- a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -13,19 +13,13 @@ tests: spec: machineConfigPool: name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest expected: | apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig @@ -34,19 +28,13 @@ tests: spec: machineConfigPool: name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest - name: Should be able to create a MachineOSConfig with a renderedImagePushSpec that contains a port initial: | apiVersion: machineconfiguration.openshift.io/v1 @@ -56,19 +44,13 @@ tests: spec: machineConfigPool: name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 - buildOutputs: - currentImagePullSecret: - name: foo + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 expected: | apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig @@ -77,43 +59,14 @@ tests: spec: machineConfigPool: name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 - buildOutputs: - currentImagePullSecret: - name: foo - - name: Fail on invalid rendered image pushspec - initial: | - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineOSConfig - metadata: - name: foobar - spec: - machineConfigPool: - name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: foo.bar - buildOutputs: - currentImagePullSecret: - name: foo - expectedError: "spec.buildInputs.renderedImagePushSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" - - name: Fail on invalid base image pullspec + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 + - name: Fail on invalid rendered image push spec initial: | apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig @@ -122,20 +75,14 @@ tests: spec: machineConfigPool: name: worker - buildInputs: - imageBuilder: - imageBuilderType: Job - baseOSImagePullSpec: foo.bar - baseImagePullSecret: - name: foo - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - renderedImagePushSecret: - name: foo - renderedImagePushSpec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo - expectedError: "spec.buildInputs.baseOSImagePullSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: foo.bar + expectedError: "spec.renderedImagePushSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." - name: Allows for an empty pull secret initial: | apiVersion: machineconfiguration.openshift.io/v1 @@ -145,17 +92,11 @@ tests: spec: machineConfigPool: name: worker - buildInputs: imageBuilder: imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo renderedImagePushSpec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo expected: | apiVersion: machineconfiguration.openshift.io/v1 kind: MachineOSConfig @@ -164,14 +105,8 @@ tests: spec: machineConfigPool: name: worker - buildInputs: imageBuilder: imageBuilderType: Job - baseOSImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 - baseOSExtensionsImagePullSpec: example.io/my-project/image-v1.0_23@sha256:2c3ea52ac3a41c6d58e85977c3149413e3fa4b70eb2397426456863adbf43306 renderedImagePushSecret: name: foo renderedImagePushSpec: quay.io/mco/renderedImg:latest - buildOutputs: - currentImagePullSecret: - name: foo diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go index 7b17f485176..30a3a44cbe1 100644 --- a/machineconfiguration/v1/types_machineosbuild.go +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -53,22 +53,22 @@ type MachineOSBuildList struct { // MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object. type MachineOSBuildSpec struct { - // desiredConfig points to the rendered MachineConfig resource to be included in this image build. + // machineConfig points to the rendered MachineConfig resource to be included in this image build. // +kubebuilder:validation:Required - DesiredConfig RenderedMachineConfigReference `json:"desiredConfig"` + MachineConfig MachineConfigReference `json:"machineConfig"` // machineOSConfig references the MachineOSConfig resource that this image build extends. // +kubebuilder:validation:Required MachineOSConfig MachineOSConfigReference `json:"machineOSConfig"` // renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. // This field describes the location of the final image, which will be pushed by the build once complete. - // The format of the image pullspec is: - // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + // The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + // The length of the push spec must be between 1 to 447 characters. // +kubebuilder:validation:Required RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` } // MachineOSBuildStatus describes the state of a build and other helpful information. -// +kubebuilder:validation:XValidation:rule="has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) > timestamp(self.buildEnd)",message="buildEnd must be after buildStart" +// +kubebuilder:validation:XValidation:rule="has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) < timestamp(self.buildEnd)",message="buildEnd must be after buildStart" type MachineOSBuildStatus struct { // conditions are state related conditions for the build. Valid types are: // Prepared, Building, Failed, Interrupted, and Succeeded. @@ -83,8 +83,8 @@ type MachineOSBuildStatus struct { // +optional Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // builder describes the image builder backend used for this build. - // +kubebuilder:validation:Required - Builder MachineOSBuilderReference `json:"builder"` + // +optional + Builder *MachineOSBuilderReference `json:"builder"` // relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. // After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. // However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process. @@ -95,32 +95,37 @@ type MachineOSBuildStatus struct { RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"` // buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildStart is immutable once set" - // +kubebuilder:validation:Required - BuildStart metav1.Time `json:"buildStart"` + // +optional + BuildStart *metav1.Time `json:"buildStart"` // buildEnd is the timestamp corresponding to completion of the builder backend. // When omitted the build has either not been started, or is in progress. // It will be populated once the build completes, fails or is interrupted. // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" // +optional BuildEnd *metav1.Time `json:"buildEnd,omitempty"` - // finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. - // Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + // digestedImagePushSpec describes the fully qualified push spec produced by this build. + // The format of the push spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. // +optional - FinalImagePushSpec ImageDigestFormat `json:"finalImagePushSpec,omitempty"` + DigestedImagePushSpec ImageDigestFormat `json:"digestedImagePushSpec,omitempty"` } // MachineOSBuilderReference describes which ImageBuilder backend to use for this build +// +union +// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'Job' ? true : !has(self.job)",message="job is required when imageBuilderType is Job, and forbidden otherwise" type MachineOSBuilderReference struct { // imageBuilderType describes the type of image builder used to build this image. // Valid values are Job only. // When set to Job, a pod based builder, using buildah, is launched to build the specified image. + // +unionDiscriminator // +kubebuilder:validation:Required ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` - // ImageBuilderRef is a reference to the object that is managing the image build - // For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build - // +optional - ImageBuilderRef *ObjectReference `json:"ImageBuilderRef,omitempty"` + // job is a reference to the job object that is managing the image build. + // This is required if the imageBuilderType is Job, and forbidden otherwise. + // +unionMember,optional + Job *ObjectReference `json:"job,omitempty"` } // BuildProgess highlights some of the key phases of a build to be tracked in Conditions. @@ -142,7 +147,7 @@ const ( // Refers to the name of a rendered MachineConfig (e.g., "rendered-worker-ec40d2965ff81bce7cd7a7e82a680739", etc.): // the build targets this MachineConfig, this is often used to tell us whether we need an update. -type RenderedMachineConfigReference struct { +type MachineConfigReference struct { // name is the name of the rendered MachineConfig object. // This value should be between 10 and 253 characters, and must contain only lowercase // alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go index f0fb0c0703f..7d60725da74 100644 --- a/machineconfiguration/v1/types_machineosconfig.go +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -50,61 +50,15 @@ type MachineOSConfigSpec struct { // machineConfigPool is the pool which the build is for // +kubebuilder:validation:Required MachineConfigPool MachineConfigPoolReference `json:"machineConfigPool"` - // buildInputs is where user input options for the build live - // +kubebuilder:validation:Required - BuildInputs BuildInputs `json:"buildInputs"` - // buildOutputs holds all information needed to handle booting the image after a build - // This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry - // is different than the one used for pushing the image to the registry during the build. - // +optional - BuildOutputs *BuildOutputs `json:"buildOutputs,omitempty"` -} - -// MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig -type MachineOSConfigStatus struct { - // observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller. - // +kubebuilder:validation:XValidation:rule="self >= oldSelf || (self == 0 && oldSelf > 0)", message="observedGeneration must not move backwards except to zero" - // +kubebuilder:validation:Minimum=0 + // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + // Currently supported type(s): Job // +kubebuilder:validation:Required - ObservedGeneration int64 `json:"observedGeneration,omitempty"` - // currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. - // The format of the image pullspec is: - // host[:port][/namespace]/name@sha256: - // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +optional - CurrentImagePullSpec ImageDigestFormat `json:"currentImagePullSpec,omitempty"` - // machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build - // +optional - MachineOSBuild *ObjectReference `json:"machineOSBuild,omitempty"` -} - -// BuildInputs holds all of the information needed to trigger a build -type BuildInputs struct { - // baseOSExtensionsImagePullSpec is the base Extensions image used in the build process - // The MachineOSConfig object will use the in cluster image registry configuration. - // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - // The format of the image pullspec is: - // host[:port][/namespace]/name@sha256: - // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +optional - BaseOSExtensionsImagePullSpec ImageDigestFormat `json:"baseOSExtensionsImagePullSpec,omitempty"` - // baseOSImagePullSpec is the base OSImage we use to build our custom image. - // The MachineOSConfig object will use the in cluster image registry configuration. - // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - // The format of the image pullspec is: - // host[:port][/namespace]/name@sha256: - // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - // +optional - BaseOSImagePullSpec ImageDigestFormat `json:"baseOSImagePullSpec,omitempty"` + ImageBuilder MachineOSImageBuilder `json:"imageBuilder"` // baseImagePullSecret is the secret used to pull the base image. // Must live in the openshift-machine-config-operator namespace if provided. // Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. // +optional BaseImagePullSecret *ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` - // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - // Currently supported type(s): Job - // +kubebuilder:validation:Required - ImageBuilder MachineOSImageBuilder `json:"imageBuilder"` // renderedImagePushSecret is the secret used to connect to a user registry. // The final image push and pull secrets should be separate and assume the principal of least privilege. // The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. @@ -115,42 +69,49 @@ type BuildInputs struct { // renderedImagePushSpec describes the location of the final image. // The MachineOSConfig object will use the in cluster image registry configuration. // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. - // The format of the image pushspec is: - // host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + // The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + // The length of the push spec must be between 1 to 447 characters. // +kubebuilder:validation:Required RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` - // releaseVersion is an Openshift release version which the base OS image is associated with. - // This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - // It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - // This is used as a label in the Containerfile that builds the OS image. - // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." - // +optional - ReleaseVersion string `json:"releaseVersion,omitempty"` // containerFile describes the custom data the user has specified to build into the image. // This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - // you can specify up to 7 containerFiles + // This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. // +patchMergeKey=containerfileArch // +patchStrategy=merge // +listType=map // +listMapKey=containerfileArch // +kubebuilder:validation:MinItems=0 - // +kubebuilder:validation:MaxItems=7 + // +kubebuilder:validation:MaxItems=4 // +optional Containerfile []MachineOSContainerfile `json:"containerFile" patchStrategy:"merge" patchMergeKey:"containerfileArch"` } -// BuildOutputs holds all information needed to handle booting the image after a build -type BuildOutputs struct { - // currentImagePullSecret is the secret used to pull the final produced image. - // Must live in the openshift-machine-config-operator namespace, - // the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - // that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - // that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - // This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. +// MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig +type MachineOSConfigStatus struct { + // observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller. + // +kubebuilder:validation:XValidation:rule="self >= oldSelf", message="observedGeneration must not move backwards" + // +kubebuilder:validation:Minimum=0 + // +optional + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + // currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + // This is generated when the Machine Config Operator's build controller successfully completes the build. + // The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. + // +optional + CurrentImagePullSpec ImageDigestFormat `json:"currentImagePullSpec,omitempty"` + // machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build. + // +optional + MachineOSBuild *ObjectReference `json:"machineOSBuild,omitempty"` + // conditions are state related conditions for the object. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type // +optional - CurrentImagePullSecret *ImageSecretObjectReference `json:"currentImagePullSecret,omitempty"` + // TODO(jerzhang): add godoc after conditions are finalized. + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } type MachineOSImageBuilder struct { @@ -166,10 +127,10 @@ type MachineOSContainerfile struct { // containerfileArch describes the architecture this containerfile is to be built for. // This arch is optional. If the user does not specify an architecture, it is assumed // that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - // +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;AArch64;x86_64;NoArch + // +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;NoArch // +kubebuilder:default:=NoArch // +optional - ContainerfileArch ContainerfileArch `json:"containerfileArch"` + ContainerfileArch ContainerfileArch `json:"containerfileArch,omitempty"` // content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. // for example, this would add the tree package to your hosts: @@ -193,10 +154,6 @@ const ( Ppc ContainerfileArch = "PPC64LE" // describes the s390x architecture S390 ContainerfileArch = "S390X" - // describes the aarch64 architecture - Aarch64 ContainerfileArch = "AArch64" - // describes the fx86_64 architecture - X86_64 ContainerfileArch = "x86_64" // describes a containerfile that can be applied to any arch NoArch ContainerfileArch = "NoArch" ) @@ -224,14 +181,16 @@ type ImageSecretObjectReference struct { Name string `json:"name"` } -// ImageTagFormat is a type that conforms to the format host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: +// ImageTagFormat is a type that conforms to the format host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. +// The length of the field must be between 1 to 447 characters. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." type ImageTagFormat string -// ImageDigestFormat is a type that conforms to the format host[:port][/namespace]/name@sha256: +// ImageDigestFormat is a type that conforms to the format host[:port][/namespace]/name@sha256:. // The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. +// The length of the field must be between 1 to 447 characters. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=447 // +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml index 5a70745fde9..63e52bbdbca 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -62,8 +62,8 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - desiredConfig: - description: desiredConfig points to the rendered MachineConfig resource + machineConfig: + description: machineConfig points to the rendered MachineConfig resource to be included in this image build. properties: name: @@ -105,8 +105,8 @@ spec: description: |- renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -118,7 +118,7 @@ spec: rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - desiredConfig + - machineConfig - machineOSConfig - renderedImagePushSpec type: object @@ -151,10 +151,16 @@ spec: description: builder describes the image builder backend used for this build. properties: - ImageBuilderRef: + imageBuilderType: description: |- - ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: description: |- @@ -210,15 +216,14 @@ spec: - name - resource type: object - imageBuilderType: - description: |- - imageBuilderType describes the type of image builder used to build this image. - Valid values are Job only. - When set to Job, a pod based builder, using buildah, is launched to build the specified image. - type: string required: - imageBuilderType type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? true : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -290,10 +295,12 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushSpec: + digestedImagePushSpec: description: |- - finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. - Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -373,14 +380,11 @@ spec: - name - resource x-kubernetes-list-type: map - required: - - buildStart - - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) - > timestamp(self.buildEnd) + < timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml index 2ecf9ea6e6e..6d615b0623c 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -62,8 +62,8 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - desiredConfig: - description: desiredConfig points to the rendered MachineConfig resource + machineConfig: + description: machineConfig points to the rendered MachineConfig resource to be included in this image build. properties: name: @@ -105,8 +105,8 @@ spec: description: |- renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -118,7 +118,7 @@ spec: rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - desiredConfig + - machineConfig - machineOSConfig - renderedImagePushSpec type: object @@ -151,10 +151,16 @@ spec: description: builder describes the image builder backend used for this build. properties: - ImageBuilderRef: + imageBuilderType: description: |- - ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: description: |- @@ -210,15 +216,14 @@ spec: - name - resource type: object - imageBuilderType: - description: |- - imageBuilderType describes the type of image builder used to build this image. - Valid values are Job only. - When set to Job, a pod based builder, using buildah, is launched to build the specified image. - type: string required: - imageBuilderType type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? true : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -290,10 +295,12 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushSpec: + digestedImagePushSpec: description: |- - finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. - Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -373,14 +380,11 @@ spec: - name - resource x-kubernetes-list-type: map - required: - - buildStart - - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) - > timestamp(self.buildEnd) + < timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml index 33444f0629d..e3c0c4678d6 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -62,8 +62,8 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - desiredConfig: - description: desiredConfig points to the rendered MachineConfig resource + machineConfig: + description: machineConfig points to the rendered MachineConfig resource to be included in this image build. properties: name: @@ -105,8 +105,8 @@ spec: description: |- renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -118,7 +118,7 @@ spec: rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - desiredConfig + - machineConfig - machineOSConfig - renderedImagePushSpec type: object @@ -151,10 +151,16 @@ spec: description: builder describes the image builder backend used for this build. properties: - ImageBuilderRef: + imageBuilderType: description: |- - ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: description: |- @@ -210,15 +216,14 @@ spec: - name - resource type: object - imageBuilderType: - description: |- - imageBuilderType describes the type of image builder used to build this image. - Valid values are Job only. - When set to Job, a pod based builder, using buildah, is launched to build the specified image. - type: string required: - imageBuilderType type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? true : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -290,10 +295,12 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushSpec: + digestedImagePushSpec: description: |- - finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. - Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -373,14 +380,11 @@ spec: - name - resource x-kubernetes-list-type: map - required: - - buildStart - - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) - > timestamp(self.buildEnd) + < timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index 052c23a1bf0..7b161ab1527 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -46,132 +46,17 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - Must live in the openshift-machine-config-operator namespace if provided. - Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - baseOSExtensionsImagePullSpec: - description: |- - baseOSExtensionsImagePullSpec is the base Extensions image used in the build process - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullSpec: - description: |- - baseOSImagePullSpec is the base OSImage we use to build our custom image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - you can specify up to 7 containerFiles - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: NoArch - description: |- - containerfileArch describes the architecture this containerfile is to be built for. - This arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - ARM64 - - AMD64 - - PPC64LE - - S390X - - AArch64 - - x86_64 - - NoArch - type: string - content: - description: |- - content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - for example, this would add the tree package to your hosts: - FROM configs AS final - RUN rpm-ostree install tree && \ - ostree container commit - maxLength: 4096 - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: |- - machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): Job - properties: - imageBuilderType: - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: Job - enum: - - Job - type: string - required: - - imageBuilderType - type: object - releaseVersion: + name: description: |- - releaseVersion is an Openshift release version which the base OS image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the Containerfile that builds the OS image. + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 type: string x-kubernetes-validations: @@ -179,81 +64,65 @@ spec: case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. rule: '!format.dns1123Subdomain().validate(self).hasValue()' - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - The final image push and pull secrets should be separate and assume the principal of least privilege. - The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. - The pull secret with read only privileges is required on all nodes. - By separating the two secrets, the risk of write credentials becoming compromised is reduced. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - renderedImagePushSpec: - description: |- - renderedImagePushSpec describes the location of the final image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - imageBuilder - - renderedImagePushSecret - - renderedImagePushSpec + - name type: object - buildOutputs: + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: description: |- - buildOutputs holds all information needed to handle booting the image after a build - This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry - is different than the one used for pushing the image to the registry during the build. + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job properties: - currentImagePullSecret: + imageBuilderType: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - Must live in the openshift-machine-config-operator namespace, - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType type: object machineConfigPool: description: machineConfigPool is the pool which the build is for @@ -273,19 +142,122 @@ spec: required: - name type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map currentImagePullSpec: description: |- currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + This is generated when the Machine Config Operator's build controller successfully completes the build. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -299,7 +271,7 @@ spec: machineOSBuild: description: machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image - build + build. properties: group: description: |- @@ -362,10 +334,8 @@ spec: minimum: 0 type: integer x-kubernetes-validations: - - message: observedGeneration must not move backwards except to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - required: - - observedGeneration + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index 7be84075dfb..d497c152a18 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -46,132 +46,17 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - Must live in the openshift-machine-config-operator namespace if provided. - Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - baseOSExtensionsImagePullSpec: - description: |- - baseOSExtensionsImagePullSpec is the base Extensions image used in the build process - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullSpec: - description: |- - baseOSImagePullSpec is the base OSImage we use to build our custom image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - you can specify up to 7 containerFiles - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: NoArch - description: |- - containerfileArch describes the architecture this containerfile is to be built for. - This arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - ARM64 - - AMD64 - - PPC64LE - - S390X - - AArch64 - - x86_64 - - NoArch - type: string - content: - description: |- - content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - for example, this would add the tree package to your hosts: - FROM configs AS final - RUN rpm-ostree install tree && \ - ostree container commit - maxLength: 4096 - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: |- - machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): Job - properties: - imageBuilderType: - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: Job - enum: - - Job - type: string - required: - - imageBuilderType - type: object - releaseVersion: + name: description: |- - releaseVersion is an Openshift release version which the base OS image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the Containerfile that builds the OS image. + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 type: string x-kubernetes-validations: @@ -179,81 +64,65 @@ spec: case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. rule: '!format.dns1123Subdomain().validate(self).hasValue()' - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - The final image push and pull secrets should be separate and assume the principal of least privilege. - The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. - The pull secret with read only privileges is required on all nodes. - By separating the two secrets, the risk of write credentials becoming compromised is reduced. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - renderedImagePushSpec: - description: |- - renderedImagePushSpec describes the location of the final image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - imageBuilder - - renderedImagePushSecret - - renderedImagePushSpec + - name type: object - buildOutputs: + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: description: |- - buildOutputs holds all information needed to handle booting the image after a build - This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry - is different than the one used for pushing the image to the registry during the build. + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job properties: - currentImagePullSecret: + imageBuilderType: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - Must live in the openshift-machine-config-operator namespace, - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType type: object machineConfigPool: description: machineConfigPool is the pool which the build is for @@ -273,19 +142,122 @@ spec: required: - name type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map currentImagePullSpec: description: |- currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + This is generated when the Machine Config Operator's build controller successfully completes the build. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -299,7 +271,7 @@ spec: machineOSBuild: description: machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image - build + build. properties: group: description: |- @@ -362,10 +334,8 @@ spec: minimum: 0 type: integer x-kubernetes-validations: - - message: observedGeneration must not move backwards except to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - required: - - observedGeneration + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index ebf28f6f39a..22295de2da8 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -46,132 +46,17 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - Must live in the openshift-machine-config-operator namespace if provided. - Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - baseOSExtensionsImagePullSpec: - description: |- - baseOSExtensionsImagePullSpec is the base Extensions image used in the build process - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullSpec: - description: |- - baseOSImagePullSpec is the base OSImage we use to build our custom image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - you can specify up to 7 containerFiles - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: NoArch - description: |- - containerfileArch describes the architecture this containerfile is to be built for. - This arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - ARM64 - - AMD64 - - PPC64LE - - S390X - - AArch64 - - x86_64 - - NoArch - type: string - content: - description: |- - content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - for example, this would add the tree package to your hosts: - FROM configs AS final - RUN rpm-ostree install tree && \ - ostree container commit - maxLength: 4096 - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: |- - machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): Job - properties: - imageBuilderType: - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: Job - enum: - - Job - type: string - required: - - imageBuilderType - type: object - releaseVersion: + name: description: |- - releaseVersion is an Openshift release version which the base OS image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the Containerfile that builds the OS image. + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 type: string x-kubernetes-validations: @@ -179,81 +64,65 @@ spec: case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. rule: '!format.dns1123Subdomain().validate(self).hasValue()' - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - The final image push and pull secrets should be separate and assume the principal of least privilege. - The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. - The pull secret with read only privileges is required on all nodes. - By separating the two secrets, the risk of write credentials becoming compromised is reduced. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - renderedImagePushSpec: - description: |- - renderedImagePushSpec describes the location of the final image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - imageBuilder - - renderedImagePushSecret - - renderedImagePushSpec + - name type: object - buildOutputs: + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: description: |- - buildOutputs holds all information needed to handle booting the image after a build - This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry - is different than the one used for pushing the image to the registry during the build. + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job properties: - currentImagePullSecret: + imageBuilderType: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - Must live in the openshift-machine-config-operator namespace, - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType type: object machineConfigPool: description: machineConfigPool is the pool which the build is for @@ -273,19 +142,122 @@ spec: required: - name type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map currentImagePullSpec: description: |- currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + This is generated when the Machine Config Operator's build controller successfully completes the build. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -299,7 +271,7 @@ spec: machineOSBuild: description: machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image - build + build. properties: group: description: |- @@ -362,10 +334,8 @@ spec: minimum: 0 type: integer x-kubernetes-validations: - - message: observedGeneration must not move backwards except to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - required: - - observedGeneration + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index dbf0c5975f6..d33e82b0c2c 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -13,55 +13,6 @@ import ( intstr "k8s.io/apimachinery/pkg/util/intstr" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *BuildInputs) DeepCopyInto(out *BuildInputs) { - *out = *in - if in.BaseImagePullSecret != nil { - in, out := &in.BaseImagePullSecret, &out.BaseImagePullSecret - *out = new(ImageSecretObjectReference) - **out = **in - } - out.ImageBuilder = in.ImageBuilder - out.RenderedImagePushSecret = in.RenderedImagePushSecret - if in.Containerfile != nil { - in, out := &in.Containerfile, &out.Containerfile - *out = make([]MachineOSContainerfile, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildInputs. -func (in *BuildInputs) DeepCopy() *BuildInputs { - if in == nil { - return nil - } - out := new(BuildInputs) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *BuildOutputs) DeepCopyInto(out *BuildOutputs) { - *out = *in - if in.CurrentImagePullSecret != nil { - in, out := &in.CurrentImagePullSecret, &out.CurrentImagePullSecret - *out = new(ImageSecretObjectReference) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildOutputs. -func (in *BuildOutputs) DeepCopy() *BuildOutputs { - if in == nil { - return nil - } - out := new(BuildOutputs) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertExpiry) DeepCopyInto(out *CertExpiry) { *out = *in @@ -887,6 +838,22 @@ func (in *MachineConfigPoolStatusConfiguration) DeepCopy() *MachineConfigPoolSta return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigReference) DeepCopyInto(out *MachineConfigReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigReference. +func (in *MachineConfigReference) DeepCopy() *MachineConfigReference { + if in == nil { + return nil + } + out := new(MachineConfigReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigSpec) DeepCopyInto(out *MachineConfigSpec) { *out = *in @@ -982,7 +949,7 @@ func (in *MachineOSBuildList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineOSBuildSpec) DeepCopyInto(out *MachineOSBuildSpec) { *out = *in - out.DesiredConfig = in.DesiredConfig + out.MachineConfig = in.MachineConfig out.MachineOSConfig = in.MachineOSConfig return } @@ -1007,13 +974,20 @@ func (in *MachineOSBuildStatus) DeepCopyInto(out *MachineOSBuildStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - in.Builder.DeepCopyInto(&out.Builder) + if in.Builder != nil { + in, out := &in.Builder, &out.Builder + *out = new(MachineOSBuilderReference) + (*in).DeepCopyInto(*out) + } if in.RelatedObjects != nil { in, out := &in.RelatedObjects, &out.RelatedObjects *out = make([]ObjectReference, len(*in)) copy(*out, *in) } - in.BuildStart.DeepCopyInto(&out.BuildStart) + if in.BuildStart != nil { + in, out := &in.BuildStart, &out.BuildStart + *out = (*in).DeepCopy() + } if in.BuildEnd != nil { in, out := &in.BuildEnd, &out.BuildEnd *out = (*in).DeepCopy() @@ -1034,8 +1008,8 @@ func (in *MachineOSBuildStatus) DeepCopy() *MachineOSBuildStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineOSBuilderReference) DeepCopyInto(out *MachineOSBuilderReference) { *out = *in - if in.ImageBuilderRef != nil { - in, out := &in.ImageBuilderRef, &out.ImageBuilderRef + if in.Job != nil { + in, out := &in.Job, &out.Job *out = new(ObjectReference) **out = **in } @@ -1137,11 +1111,17 @@ func (in *MachineOSConfigReference) DeepCopy() *MachineOSConfigReference { func (in *MachineOSConfigSpec) DeepCopyInto(out *MachineOSConfigSpec) { *out = *in out.MachineConfigPool = in.MachineConfigPool - in.BuildInputs.DeepCopyInto(&out.BuildInputs) - if in.BuildOutputs != nil { - in, out := &in.BuildOutputs, &out.BuildOutputs - *out = new(BuildOutputs) - (*in).DeepCopyInto(*out) + out.ImageBuilder = in.ImageBuilder + if in.BaseImagePullSecret != nil { + in, out := &in.BaseImagePullSecret, &out.BaseImagePullSecret + *out = new(ImageSecretObjectReference) + **out = **in + } + out.RenderedImagePushSecret = in.RenderedImagePushSecret + if in.Containerfile != nil { + in, out := &in.Containerfile, &out.Containerfile + *out = make([]MachineOSContainerfile, len(*in)) + copy(*out, *in) } return } @@ -1164,6 +1144,13 @@ func (in *MachineOSConfigStatus) DeepCopyInto(out *MachineOSConfigStatus) { *out = new(ObjectReference) **out = **in } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1277,19 +1264,3 @@ func (in *PoolSynchronizerStatus) DeepCopy() *PoolSynchronizerStatus { in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RenderedMachineConfigReference) DeepCopyInto(out *RenderedMachineConfigReference) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RenderedMachineConfigReference. -func (in *RenderedMachineConfigReference) DeepCopy() *RenderedMachineConfigReference { - if in == nil { - return nil - } - out := new(RenderedMachineConfigReference) - in.DeepCopyInto(out) - return out -} diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml index df15028eb65..9a1870e5513 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -62,8 +62,8 @@ spec: spec: description: spec describes the configuration of the machine os build properties: - desiredConfig: - description: desiredConfig points to the rendered MachineConfig resource + machineConfig: + description: machineConfig points to the rendered MachineConfig resource to be included in this image build. properties: name: @@ -105,8 +105,8 @@ spec: description: |- renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -118,7 +118,7 @@ spec: rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - desiredConfig + - machineConfig - machineOSConfig - renderedImagePushSpec type: object @@ -151,10 +151,16 @@ spec: description: builder describes the image builder backend used for this build. properties: - ImageBuilderRef: + imageBuilderType: description: |- - ImageBuilderRef is a reference to the object that is managing the image build - For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: description: |- @@ -210,15 +216,14 @@ spec: - name - resource type: object - imageBuilderType: - description: |- - imageBuilderType describes the type of image builder used to build this image. - Valid values are Job only. - When set to Job, a pod based builder, using buildah, is launched to build the specified image. - type: string required: - imageBuilderType type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? true : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: @@ -290,10 +295,12 @@ spec: - message: once an Interrupted condition is set, conditions are immutable rule: 'self.exists(x, x.type == ''Interrupted'') ? self == oldSelf : true' - finalImagePushSpec: + digestedImagePushSpec: description: |- - finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. - Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long. + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -373,14 +380,11 @@ spec: - name - resource x-kubernetes-list-type: map - required: - - buildStart - - builder type: object x-kubernetes-validations: - message: buildEnd must be after buildStart rule: has(self.buildStart) && has(self.buildEnd) && timestamp(self.buildStart) - > timestamp(self.buildEnd) + < timestamp(self.buildEnd) required: - spec type: object diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml index 22fea0126a1..b5edc58ad8b 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -46,132 +46,17 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - Must live in the openshift-machine-config-operator namespace if provided. - Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - baseOSExtensionsImagePullSpec: - description: |- - baseOSExtensionsImagePullSpec is the base Extensions image used in the build process - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullSpec: - description: |- - baseOSImagePullSpec is the base OSImage we use to build our custom image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - you can specify up to 7 containerFiles - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: NoArch - description: |- - containerfileArch describes the architecture this containerfile is to be built for. - This arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - ARM64 - - AMD64 - - PPC64LE - - S390X - - AArch64 - - x86_64 - - NoArch - type: string - content: - description: |- - content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. - See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. - for example, this would add the tree package to your hosts: - FROM configs AS final - RUN rpm-ostree install tree && \ - ostree container commit - maxLength: 4096 - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: |- - machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. - Currently supported type(s): Job - properties: - imageBuilderType: - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: Job - enum: - - Job - type: string - required: - - imageBuilderType - type: object - releaseVersion: + name: description: |- - releaseVersion is an Openshift release version which the base OS image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the Containerfile that builds the OS image. + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 type: string x-kubernetes-validations: @@ -179,81 +64,65 @@ spec: case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. rule: '!format.dns1123Subdomain().validate(self).hasValue()' - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - The final image push and pull secrets should be separate and assume the principal of least privilege. - The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. - The pull secret with read only privileges is required on all nodes. - By separating the two secrets, the risk of write credentials becoming compromised is reduced. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - renderedImagePushSpec: - description: |- - renderedImagePushSpec describes the location of the final image. - The MachineOSConfig object will use the in cluster image registry configuration. - If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - imageBuilder - - renderedImagePushSecret - - renderedImagePushSpec + - name type: object - buildOutputs: + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: description: |- - buildOutputs holds all information needed to handle booting the image after a build - This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry - is different than the one used for pushing the image to the registry during the build. + machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job properties: - currentImagePullSecret: + imageBuilderType: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - Must live in the openshift-machine-config-operator namespace, - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. - This secret must be in the openshift-machine-config-operator namespace. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of - lower case alphanumeric characters, '-' or '.', and must - start and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType type: object machineConfigPool: description: machineConfigPool is the pool which the build is for @@ -273,19 +142,122 @@ spec: required: - name type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map currentImagePullSpec: description: |- currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + This is generated when the Machine Config Operator's build controller successfully completes the build. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -299,7 +271,7 @@ spec: machineOSBuild: description: machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image - build + build. properties: group: description: |- @@ -362,10 +334,8 @@ spec: minimum: 0 type: integer x-kubernetes-validations: - - message: observedGeneration must not move backwards except to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - required: - - observedGeneration + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 8f965a6d088..ce223442774 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -359,6 +359,15 @@ func (PoolSynchronizerStatus) SwaggerDoc() map[string]string { return map_PoolSynchronizerStatus } +var map_MachineConfigReference = map[string]string{ + "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", + "name": "name is the name of the rendered MachineConfig object. This value should be between 10 and 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", +} + +func (MachineConfigReference) SwaggerDoc() map[string]string { + return map_MachineConfigReference +} + var map_MachineOSBuild = map[string]string{ "": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "spec": "spec describes the configuration of the machine os build", @@ -380,9 +389,9 @@ func (MachineOSBuildList) SwaggerDoc() map[string]string { var map_MachineOSBuildSpec = map[string]string{ "": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", - "desiredConfig": "desiredConfig points to the rendered MachineConfig resource to be included in this image build.", + "machineConfig": "machineConfig points to the rendered MachineConfig resource to be included in this image build.", "machineOSConfig": "machineOSConfig references the MachineOSConfig resource that this image build extends.", - "renderedImagePushSpec": "renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "renderedImagePushSpec": "renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. The length of the push spec must be between 1 to 447 characters.", } func (MachineOSBuildSpec) SwaggerDoc() map[string]string { @@ -390,13 +399,13 @@ func (MachineOSBuildSpec) SwaggerDoc() map[string]string { } var map_MachineOSBuildStatus = map[string]string{ - "": "MachineOSBuildStatus describes the state of a build and other helpful information.", - "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded. Once a Build is marked as Failed or Interrupted, no future conditions can be set.", - "builder": "builder describes the image builder backend used for this build.", - "relatedObjects": "relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process.", - "buildStart": "buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild.", - "buildEnd": "buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", - "finalImagePushSpec": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must end with a valid '@sha256:' suffix, where '' is 64 hexadecimal characters long.", + "": "MachineOSBuildStatus describes the state of a build and other helpful information.", + "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded. Once a Build is marked as Failed or Interrupted, no future conditions can be set.", + "builder": "builder describes the image builder backend used for this build.", + "relatedObjects": "relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. After a successful build or when this MachineOSBuild is deleted, these ephemeral objects should be deleted. However, in the event of a failed build, the objects will not be deleted to allow for inspection and debugging of the failed build process.", + "buildStart": "buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild.", + "buildEnd": "buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", + "digestedImagePushSpec": "digestedImagePushSpec describes the fully qualified push spec produced by this build. The format of the push spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", } func (MachineOSBuildStatus) SwaggerDoc() map[string]string { @@ -406,7 +415,7 @@ func (MachineOSBuildStatus) SwaggerDoc() map[string]string { var map_MachineOSBuilderReference = map[string]string{ "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build", "imageBuilderType": "imageBuilderType describes the type of image builder used to build this image. Valid values are Job only. When set to Job, a pod based builder, using buildah, is launched to build the specified image.", - "ImageBuilderRef": "ImageBuilderRef is a reference to the object that is managing the image build For example, if the imageBuilderType is Job, this will be a reference to the Job object managing the build", + "job": "job is a reference to the job object that is managing the image build. This is required if the imageBuilderType is Job, and forbidden otherwise.", } func (MachineOSBuilderReference) SwaggerDoc() map[string]string { @@ -434,40 +443,6 @@ func (ObjectReference) SwaggerDoc() map[string]string { return map_ObjectReference } -var map_RenderedMachineConfigReference = map[string]string{ - "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", - "name": "name is the name of the rendered MachineConfig object. This value should be between 10 and 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", -} - -func (RenderedMachineConfigReference) SwaggerDoc() map[string]string { - return map_RenderedMachineConfigReference -} - -var map_BuildInputs = map[string]string{ - "": "BuildInputs holds all of the information needed to trigger a build", - "baseOSExtensionsImagePullSpec": "baseOSExtensionsImagePullSpec is the base Extensions image used in the build process The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "baseOSImagePullSpec": "baseOSImagePullSpec is the base OSImage we use to build our custom image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. Must live in the openshift-machine-config-operator namespace if provided. Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret.", - "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): Job", - "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. The final image push and pull secrets should be separate and assume the principal of least privilege. The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. The pull secret with read only privileges is required on all nodes. By separating the two secrets, the risk of write credentials becoming compromised is reduced.", - "renderedImagePushSpec": "renderedImagePushSpec describes the location of the final image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - "releaseVersion": "releaseVersion is an Openshift release version which the base OS image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the Containerfile that builds the OS image.", - "containerFile": "containerFile describes the custom data the user has specified to build into the image. This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. you can specify up to 7 containerFiles", -} - -func (BuildInputs) SwaggerDoc() map[string]string { - return map_BuildInputs -} - -var map_BuildOutputs = map[string]string{ - "": "BuildOutputs holds all information needed to handle booting the image after a build", - "currentImagePullSecret": "currentImagePullSecret is the secret used to pull the final produced image. Must live in the openshift-machine-config-operator namespace, the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. This pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", -} - -func (BuildOutputs) SwaggerDoc() map[string]string { - return map_BuildOutputs -} - var map_ImageSecretObjectReference = map[string]string{ "": "Refers to the name of an image registry push/pull secret needed in the build process.", "name": "name is the name of the secret used to push or pull this MachineOSConfig object. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. This secret must be in the openshift-machine-config-operator namespace.", @@ -506,10 +481,13 @@ func (MachineOSConfigList) SwaggerDoc() map[string]string { } var map_MachineOSConfigSpec = map[string]string{ - "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", - "machineConfigPool": "machineConfigPool is the pool which the build is for", - "buildInputs": "buildInputs is where user input options for the build live", - "buildOutputs": "buildOutputs holds all information needed to handle booting the image after a build This currently contains a currentImagePullSecret field, which should be provided if the final pull secret used to pull the image to nodes from the registry is different than the one used for pushing the image to the registry during the build.", + "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", + "machineConfigPool": "machineConfigPool is the pool which the build is for", + "imageBuilder": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): Job", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. Must live in the openshift-machine-config-operator namespace if provided. Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret.", + "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. The final image push and pull secrets should be separate and assume the principal of least privilege. The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. The pull secret with read only privileges is required on all nodes. By separating the two secrets, the risk of write credentials becoming compromised is reduced.", + "renderedImagePushSpec": "renderedImagePushSpec describes the location of the final image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. The length of the push spec must be between 1 to 447 characters.", + "containerFile": "containerFile describes the custom data the user has specified to build into the image. This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4.", } func (MachineOSConfigSpec) SwaggerDoc() map[string]string { @@ -519,8 +497,9 @@ func (MachineOSConfigSpec) SwaggerDoc() map[string]string { var map_MachineOSConfigStatus = map[string]string{ "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", "observedGeneration": "observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller.", - "currentImagePullSpec": "currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. The format of the image pullspec is: host[:port][/namespace]/name@sha256: The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.", - "machineOSBuild": "machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build", + "currentImagePullSpec": "currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. This is generated when the Machine Config Operator's build controller successfully completes the build. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "machineOSBuild": "machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build.", + "conditions": "conditions are state related conditions for the object.", } func (MachineOSConfigStatus) SwaggerDoc() map[string]string {