Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1702 from openshift-cherrypick-robot/cherry-pick-…
…1648-to-release-4.15 No-Jira: [release-4.15] Add payload manifests dir
- Loading branch information
Showing
37 changed files
with
8,110 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/bin/bash | ||
|
||
source "$(dirname "${BASH_SOURCE}")/lib/init.sh" | ||
|
||
crd_globs="\ | ||
config/v1/*_config-operator_*.crd*yaml\ | ||
quota/v1/*.crd*yaml\ | ||
security/v1/*.crd*yaml\ | ||
securityinternal/v1/*.crd*yaml\ | ||
authorization/v1/*.crd*yaml\ | ||
operator/v1alpha1/0000_10_config-operator_01_imagecontentsourcepolicy.crd*yaml\ | ||
operator/v1/0000_10_config-operator_*.yaml | ||
" | ||
|
||
# To allow the crd_globs to be sourced in the verify script, | ||
# wrap the copy action to prevent it running when sourced. | ||
if [ "$0" = "$BASH_SOURCE" ] ; then | ||
for f in ${crd_globs}; do | ||
cp "$f" "${SCRIPT_ROOT}/payload-manifests/crds/" | ||
done | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin/bash | ||
|
||
source "$(dirname "${BASH_SOURCE}")/lib/init.sh" | ||
source "$(dirname "${BASH_SOURCE}")/update-payload-crds.sh" | ||
|
||
files="" | ||
|
||
# Check there's no diff between the files in their canonical location | ||
# and the payload-manifests location. | ||
for f in ${crd_globs}; do | ||
basename=$(basename "${f}") | ||
files+=${basename}, | ||
echo "Verifying diff on ${basename}" | ||
diff "$f" "${SCRIPT_ROOT}/payload-manifests/crds/${basename}" | ||
done | ||
|
||
files=$(echo "${files}" | tr "," "\n") | ||
|
||
# Check that we haven't accidentally added any files that aren't tracked | ||
# by the crd_globs into the payload CRDs folder. | ||
for f in "${SCRIPT_ROOT}/payload-manifests/crds/"*; do | ||
basename=$(basename "${f}") | ||
if ! echo "${files}" | grep -F -q -x "${basename}"; then | ||
echo "Found untracked file ${basename} in payload CRD manifests. Please add the file to crd_globs in hack/update-payload-crds.sh." | ||
exit 1 | ||
fi | ||
done |
158 changes: 158 additions & 0 deletions
158
payload-manifests/crds/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
api-approved.openshift.io: https://github.com/openshift/api/pull/470 | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
name: rolebindingrestrictions.authorization.openshift.io | ||
spec: | ||
group: authorization.openshift.io | ||
names: | ||
kind: RoleBindingRestriction | ||
listKind: RoleBindingRestrictionList | ||
plural: rolebindingrestrictions | ||
singular: rolebindingrestriction | ||
scope: Namespaced | ||
versions: | ||
- name: v1 | ||
schema: | ||
openAPIV3Schema: | ||
description: "RoleBindingRestriction is an object that can be matched against a subject (user, group, or service account) to determine whether rolebindings on that subject are allowed in the namespace to which the RoleBindingRestriction belongs. If any one of those RoleBindingRestriction objects matches a subject, rolebindings on that subject in the namespace are allowed. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)." | ||
type: object | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: Spec defines the matcher. | ||
type: object | ||
properties: | ||
grouprestriction: | ||
description: GroupRestriction matches against group subjects. | ||
type: object | ||
properties: | ||
groups: | ||
description: Groups is a list of groups used to match against an individual user's groups. If the user is a member of one of the whitelisted groups, the user is allowed to be bound to a role. | ||
type: array | ||
items: | ||
type: string | ||
nullable: true | ||
labels: | ||
description: Selectors specifies a list of label selectors over group labels. | ||
type: array | ||
items: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
type: object | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
type: array | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
type: object | ||
required: | ||
- key | ||
- operator | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
type: array | ||
items: | ||
type: string | ||
matchLabels: | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
additionalProperties: | ||
type: string | ||
x-kubernetes-map-type: atomic | ||
nullable: true | ||
nullable: true | ||
serviceaccountrestriction: | ||
description: ServiceAccountRestriction matches against service-account subjects. | ||
type: object | ||
properties: | ||
namespaces: | ||
description: Namespaces specifies a list of literal namespace names. | ||
type: array | ||
items: | ||
type: string | ||
serviceaccounts: | ||
description: ServiceAccounts specifies a list of literal service-account names. | ||
type: array | ||
items: | ||
description: ServiceAccountReference specifies a service account and namespace by their names. | ||
type: object | ||
properties: | ||
name: | ||
description: Name is the name of the service account. | ||
type: string | ||
namespace: | ||
description: Namespace is the namespace of the service account. Service accounts from inside the whitelisted namespaces are allowed to be bound to roles. If Namespace is empty, then the namespace of the RoleBindingRestriction in which the ServiceAccountReference is embedded is used. | ||
type: string | ||
nullable: true | ||
userrestriction: | ||
description: UserRestriction matches against user subjects. | ||
type: object | ||
properties: | ||
groups: | ||
description: Groups specifies a list of literal group names. | ||
type: array | ||
items: | ||
type: string | ||
nullable: true | ||
labels: | ||
description: Selectors specifies a list of label selectors over user labels. | ||
type: array | ||
items: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
type: object | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
type: array | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
type: object | ||
required: | ||
- key | ||
- operator | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
type: array | ||
items: | ||
type: string | ||
matchLabels: | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
additionalProperties: | ||
type: string | ||
x-kubernetes-map-type: atomic | ||
nullable: true | ||
users: | ||
description: Users specifies a list of literal user names. | ||
type: array | ||
items: | ||
type: string | ||
nullable: true | ||
served: true | ||
storage: true |
78 changes: 78 additions & 0 deletions
78
payload-manifests/crds/0000_03_config-operator_01_proxy.crd.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
api-approved.openshift.io: https://github.com/openshift/api/pull/470 | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
name: proxies.config.openshift.io | ||
spec: | ||
group: config.openshift.io | ||
names: | ||
kind: Proxy | ||
listKind: ProxyList | ||
plural: proxies | ||
singular: proxy | ||
scope: Cluster | ||
versions: | ||
- name: v1 | ||
schema: | ||
openAPIV3Schema: | ||
description: "Proxy holds cluster-wide information on how to configure default proxies for the cluster. The canonical name is `cluster` \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)." | ||
type: object | ||
required: | ||
- spec | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: Spec holds user-settable values for the proxy configuration | ||
type: object | ||
properties: | ||
httpProxy: | ||
description: httpProxy is the URL of the proxy for HTTP requests. Empty means unset and will not result in an env var. | ||
type: string | ||
httpsProxy: | ||
description: httpsProxy is the URL of the proxy for HTTPS requests. Empty means unset and will not result in an env var. | ||
type: string | ||
noProxy: | ||
description: noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. Empty means unset and will not result in an env var. | ||
type: string | ||
readinessEndpoints: | ||
description: readinessEndpoints is a list of endpoints used to verify readiness of the proxy. | ||
type: array | ||
items: | ||
type: string | ||
trustedCA: | ||
description: "trustedCA is a reference to a ConfigMap containing a CA certificate bundle. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from the required key \"ca-bundle.crt\", merging it with the system default trust bundle, and writing the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. Clients that expect to make proxy connections must use the trusted-ca-bundle for all HTTPS requests to the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as well. \n The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: user-ca-bundle namespace: openshift-config data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- Custom CA certificate bundle. -----END CERTIFICATE-----" | ||
type: object | ||
required: | ||
- name | ||
properties: | ||
name: | ||
description: name is the metadata.name of the referenced config map | ||
type: string | ||
status: | ||
description: status holds observed values from the cluster. They may not be overridden. | ||
type: object | ||
properties: | ||
httpProxy: | ||
description: httpProxy is the URL of the proxy for HTTP requests. | ||
type: string | ||
httpsProxy: | ||
description: httpsProxy is the URL of the proxy for HTTPS requests. | ||
type: string | ||
noProxy: | ||
description: noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. | ||
type: string | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
Oops, something went wrong.