diff --git a/api/v1beta1/hostedcluster_types.go b/api/v1beta1/hostedcluster_types.go index 765060f9918..12c03af27d1 100644 --- a/api/v1beta1/hostedcluster_types.go +++ b/api/v1beta1/hostedcluster_types.go @@ -127,6 +127,12 @@ const ( ) // HostedClusterSpec is the desired behavior of a HostedCluster. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.clusterID) || has(self.clusterID)", message="clusterID is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.infraID) || has(self.infraID)", message="infraID is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.serviceAccountSigningKey) || has(self.serviceAccountSigningKey)", message="serviceAccountSigningKey is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.auditWebhook) || has(self.auditWebhook)", message="auditWebhook is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.imageContentSources) || has(self.imageContentSources)", message="imageContentSources is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.fips) || has(self.fips)", message="fips is required once set" type HostedClusterSpec struct { // Release specifies the desired OCP release payload for the hosted cluster. // @@ -144,8 +150,11 @@ type HostedClusterSpec struct { // metrics produced by the control plane operators. If a value is not // specified, an ID is generated. After initial creation, the value is // immutable. - // +kubebuilder:validation:Pattern:="[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}" // +optional + // +kubebuilder:validation:Pattern:="[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}" + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="clusterID is immutable" + // +kubebuilder:validation:MaxLength=40 ClusterID string `json:"clusterID,omitempty"` // InfraID is a globally unique identifier for the cluster. This identifier @@ -154,6 +163,8 @@ type HostedClusterSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="infraID is immutable" InfraID string `json:"infraID,omitempty"` // Platform specifies the underlying infrastructure provider for the cluster @@ -166,8 +177,10 @@ type HostedClusterSpec struct { // critical control plane components. The default value is SingleReplica. // // +optional - // +kubebuilder:default:="SingleReplica" // +immutable + // +kubebuilder:default:="SingleReplica" + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="controllerAvailabilityPolicy is immutable" ControllerAvailabilityPolicy AvailabilityPolicy `json:"controllerAvailabilityPolicy,omitempty"` // InfrastructureAvailabilityPolicy specifies the availability policy applied @@ -175,8 +188,10 @@ type HostedClusterSpec struct { // SingleReplica. // // +optional - // +kubebuilder:default:="SingleReplica" // +immutable + // +kubebuilder:default:="SingleReplica" + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="infrastructureAvailabilityPolicy is immutable" InfrastructureAvailabilityPolicy AvailabilityPolicy `json:"infrastructureAvailabilityPolicy,omitempty"` // DNS specifies DNS configuration for the cluster. @@ -199,9 +214,9 @@ type HostedClusterSpec struct { // default ManagementType is Managed. Once set, the ManagementType cannot be // changed. // + // +immutable // +kubebuilder:validation:Optional // +kubebuilder:default={managementType: "Managed", managed: {storage: {type: "PersistentVolume", persistentVolume: {size: "4Gi"}}}} - // +immutable Etcd EtcdSpec `json:"etcd"` // Services specifies how individual control plane services are published from @@ -214,8 +229,6 @@ type HostedClusterSpec struct { // PullSecret references a pull secret to be injected into the container // runtime of all cluster nodes. The secret must have a key named // ".dockerconfigjson" whose value is the pull secret JSON. - // - // +immutable PullSecret corev1.LocalObjectReference `json:"pullSecret"` // SSHKey references an SSH key to be injected into all cluster node sshd @@ -223,6 +236,7 @@ type HostedClusterSpec struct { // public part of an SSH key. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="sshKey is immutable" SSHKey corev1.LocalObjectReference `json:"sshKey"` // IssuerURL is an OIDC issuer URL which is used as the issuer in all @@ -230,10 +244,12 @@ type HostedClusterSpec struct { // default value is kubernetes.default.svc, which only works for in-cluster // validation. // - // +kubebuilder:default:="https://kubernetes.default.svc" // +immutable // +optional + // +kubebuilder:default:="https://kubernetes.default.svc" + // +kubebuilder:validation:Optional // +kubebuilder:validation:Format=uri + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="issuerURL is immutable" IssuerURL string `json:"issuerURL,omitempty"` // ServiceAccountSigningKey is a reference to a secret containing the private key @@ -243,16 +259,17 @@ type HostedClusterSpec struct { // signing key, a IssuerURL must also be specified. // // +immutable - // +kubebuilder:validation:Optional // +optional + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="serviceAccountSigningKey is immutable" ServiceAccountSigningKey *corev1.LocalObjectReference `json:"serviceAccountSigningKey,omitempty"` // Configuration specifies configuration for individual OCP components in the // cluster, represented as embedded resources that correspond to the openshift // configuration API. // - // +kubebuilder:validation:Optional // +optional + // +kubebuilder:validation:Optional Configuration *ClusterConfiguration `json:"configuration,omitempty"` // AuditWebhook contains metadata for configuring an audit webhook endpoint @@ -266,6 +283,8 @@ type HostedClusterSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="auditWebhook is immutable" AuditWebhook *corev1.LocalObjectReference `json:"auditWebhook,omitempty"` // ImageContentSources specifies image mirrors that can be used by cluster @@ -273,6 +292,8 @@ type HostedClusterSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:MaxItems=8 ImageContentSources []ImageContentSource `json:"imageContentSources,omitempty"` // AdditionalTrustBundle is a reference to a ConfigMap containing a @@ -293,6 +314,8 @@ type HostedClusterSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="fips is immutable" FIPS bool `json:"fips"` // PausedUntil is a field that can be used to pause reconciliation on a resource. @@ -307,9 +330,9 @@ type HostedClusterSpec struct { // cluster. If set to guest, the OLM catalog components will be deployed onto the guest // cluster. // - // +kubebuilder:default=management // +optional // +immutable + // +kubebuilder:default=management OLMCatalogPlacement OLMCatalogPlacement `json:"olmCatalogPlacement,omitempty"` // NodeSelector when specified, must be true for the pods managed by the HostedCluster to be scheduled. @@ -341,22 +364,27 @@ type ImageContentSource struct { // specifications. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="source is immutable" Source string `json:"source"` // Mirrors are one or more repositories that may also contain the same images. // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:maxItems=16 Mirrors []string `json:"mirrors,omitempty"` } // ServicePublishingStrategyMapping specifies how individual control plane // services are published from the hosting cluster of a control plane. +// +kubebuilder:validation:XValidation:rule="oldSelf.service == self.service", message="service is immutable" type ServicePublishingStrategyMapping struct { // Service identifies the type of service being published. // - // +kubebuilder:validation:Enum=APIServer;OAuthServer;OIDC;Konnectivity;Ignition;OVNSbDb // +immutable + // +kubebuilder:validation:Enum=APIServer;OAuthServer;OIDC;Konnectivity;Ignition;OVNSbDb + // Set as immutable on the ServiceType declaration Service ServiceType `json:"service"` // ServicePublishingStrategy specifies how to publish Service. @@ -364,11 +392,13 @@ type ServicePublishingStrategyMapping struct { } // ServicePublishingStrategy specfies how to publish a ServiceType. +// +kubebuilder:validation:XValidation:rule="oldSelf.type == self.type", message="type is immutable" type ServicePublishingStrategy struct { // Type is the publishing strategy used for the service. // - // +kubebuilder:validation:Enum=LoadBalancer;NodePort;Route;None // +immutable + // +kubebuilder:validation:Enum=LoadBalancer;NodePort;Route;None + // Set as immutable on the PublishingStrategyType declaration Type PublishingStrategyType `json:"type"` // NodePort configures exposing a service using a NodePort. @@ -448,34 +478,39 @@ type DNSSpec struct { // BaseDomain is the base domain of the cluster. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="baseDomain is immutable" BaseDomain string `json:"baseDomain"` // PublicZoneID is the Hosted Zone ID where all the DNS records that are // publicly accessible to the internet exist. // - // +optional // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="publicZoneID is immutable" PublicZoneID string `json:"publicZoneID,omitempty"` // PrivateZoneID is the Hosted Zone ID where all the DNS records that are only // available internally to the cluster exist. // - // +optional // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="privateZoneID is immutable" PrivateZoneID string `json:"privateZoneID,omitempty"` } // ClusterNetworking specifies network configuration for a cluster. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.machineNetwork) || has(self.machineNetwork)", message="machineNetwork is required once set" type ClusterNetworking struct { // MachineNetwork is the list of IP address pools for machines. // // +immutable // +optional + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="machineNetwork is immutable" MachineNetwork []MachineNetworkEntry `json:"machineNetwork,omitempty"` // ClusterNetwork is the list of IP address pools for pods. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="clusterNetwork is immutable" ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork"` // ServiceNetwork is the list of IP address pools for services. @@ -486,14 +521,16 @@ type ClusterNetworking struct { // NetworkType specifies the SDN provider used for cluster networking. // - // +kubebuilder:default:="OVNKubernetes" // +immutable + // +kubebuilder:default:="OVNKubernetes" + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable" NetworkType NetworkType `json:"networkType"` // APIServer contains advanced network settings for the API server that affect // how the APIServer is exposed inside a cluster node. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="apiServer is immutable" APIServer *APIServerNetworking `json:"apiServer,omitempty"` } @@ -593,11 +630,14 @@ const ( // PlatformSpec specifies the underlying infrastructure provider for the cluster // and is used to configure platform specific behavior. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.agent) || has(self.agent)", message="agent is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.powervs) || has(self.powervs)", message="powervs is required once set" type PlatformSpec struct { // Type is the type of infrastructure provider for the cluster. // // +unionDiscriminator // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="type is immutable" Type PlatformType `json:"type"` // AWS specifies configuration for clusters running on Amazon Web Services. @@ -610,6 +650,8 @@ type PlatformSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="agent is immutable" Agent *AgentPlatformSpec `json:"agent,omitempty"` // IBMCloud defines IBMCloud specific settings for components @@ -623,6 +665,7 @@ type PlatformSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional PowerVS *PowerVSPlatformSpec `json:"powervs,omitempty"` } @@ -644,6 +687,7 @@ type PowerVSPlatformSpec struct { // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="accountID is immutable" AccountID string `json:"accountID"` // CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name @@ -651,12 +695,14 @@ type PowerVSPlatformSpec struct { // // +kubebuilder:validation:Pattern=`^crn:` // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="cisInstanceCRN is immutable" CISInstanceCRN string `json:"cisInstanceCRN"` // ResourceGroup is the IBMCloud Resource Group in which the cluster resides. // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="resourceGroup is immutable" ResourceGroup string `json:"resourceGroup"` // Region is the IBMCloud region in which the cluster resides. This configures the @@ -665,6 +711,7 @@ type PowerVSPlatformSpec struct { // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="region is immutable" Region string `json:"region"` // Zone is the availability zone where control plane cloud resources are @@ -672,12 +719,14 @@ type PowerVSPlatformSpec struct { // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="zone is immutable" Zone string `json:"zone"` // Subnet is the subnet to use for control plane cloud resources. // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="subnet is immutable" Subnet *PowerVSResourceReference `json:"subnet"` // ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. @@ -691,6 +740,7 @@ type PowerVSPlatformSpec struct { // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="serviceInstanceID is immutable" ServiceInstanceID string `json:"serviceInstanceID"` // VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control @@ -707,6 +757,7 @@ type PowerVSPlatformSpec struct { // TODO(dan): document the "cloud controller policy" // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="kubeCloudControllerCreds is immutable" KubeCloudControllerCreds corev1.LocalObjectReference `json:"kubeCloudControllerCreds"` // NodePoolManagementCreds is a reference to a secret containing cloud @@ -716,28 +767,34 @@ type PowerVSPlatformSpec struct { // TODO(dan): document the "node pool management policy" // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="nodePoolManagementCreds is immutable" NodePoolManagementCreds corev1.LocalObjectReference `json:"nodePoolManagementCreds"` // IngressOperatorCloudCreds is a reference to a secret containing ibm cloud // credentials for ingress operator to get authenticated with ibm cloud. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="ingressOperatorCloudCreds is immutable" IngressOperatorCloudCreds corev1.LocalObjectReference `json:"ingressOperatorCloudCreds"` // StorageOperatorCloudCreds is a reference to a secret containing ibm cloud // credentials for storage operator to get authenticated with ibm cloud. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="storageOperatorCloudCreds is immutable" StorageOperatorCloudCreds corev1.LocalObjectReference `json:"storageOperatorCloudCreds"` } // PowerVSVPC specifies IBM Cloud PowerVS LoadBalancer configuration for the control // plane. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.zone) || has(self.zone)", message="zone is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.subnet) || has(self.subnet)", message="subnet is required once set" type PowerVSVPC struct { // Name for VPC to used for all the service load balancer. // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="name is immutable" Name string `json:"name"` // Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic @@ -745,6 +802,7 @@ type PowerVSVPC struct { // This field is immutable. Once set, It can't be changed. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="region is immutable" Region string `json:"region"` // Zone is the availability zone where load balancer cloud resources are @@ -753,6 +811,8 @@ type PowerVSVPC struct { // // +immutable // +optional + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="zone is immutable" Zone string `json:"zone,omitempty"` // Subnet is the subnet to use for load balancer. @@ -760,6 +820,8 @@ type PowerVSVPC struct { // // +immutable // +optional + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="subnet is immutable" Subnet string `json:"subnet,omitempty"` } @@ -811,12 +873,15 @@ const ( ) // AWSPlatformSpec specifies configuration for clusters running on Amazon Web Services. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.cloudProviderConfig) || has(self.cloudProviderConfig)", message="cloudProviderConfig is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.serviceEndpoints) || has(self.serviceEndpoints)", message="serviceEndpoints is required once set" type AWSPlatformSpec struct { // Region is the AWS region in which the cluster resides. This configures the // OCP control plane cloud integrations, and is used by NodePool to resolve // the correct boot AMI for a given release. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="region is immutable" Region string `json:"region"` // CloudProviderConfig specifies AWS networking configuration for the control @@ -827,6 +892,8 @@ type AWSPlatformSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="cloudProviderConfig is immutable" CloudProviderConfig *AWSCloudProviderConfig `json:"cloudProviderConfig,omitempty"` // ServiceEndpoints specifies optional custom endpoints which will override @@ -836,12 +903,15 @@ type AWSPlatformSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="serviceEndpoints is immutable" ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"` // RolesRef contains references to various AWS IAM roles required to enable // integrations such as OIDC. // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="rolesRef is immutable" RolesRef AWSRolesRef `json:"rolesRef"` // ResourceTags is a list of additional tags to apply to AWS resources created @@ -851,16 +921,16 @@ type AWSPlatformSpec struct { // resource. OpenShift reserves 25 tags for its use, leaving 25 tags available // for the user. // - // +kubebuilder:validation:MaxItems=25 // +optional + // +kubebuilder:validation:MaxItems=25 ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"` // EndpointAccess specifies the publishing scope of cluster endpoints. The // default is Public. // + // +optional // +kubebuilder:validation:Enum=Public;PublicAndPrivate;Private // +kubebuilder:default=Public - // +optional EndpointAccess AWSEndpointAccessType `json:"endpointAccess,omitempty"` } @@ -1105,6 +1175,7 @@ type AWSRolesRef struct { // ] // } // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="kubeCloudControllerARN is immutable" KubeCloudControllerARN string `json:"kubeCloudControllerARN"` // NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller. @@ -1198,6 +1269,7 @@ type AWSRolesRef struct { // } // // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="nodePoolManagementARN is immutable" NodePoolManagementARN string `json:"nodePoolManagementARN"` // ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator. @@ -1230,6 +1302,7 @@ type AWSRolesRef struct { // ] // } // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="controlPlaneOperatorARN is immutable" ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"` } @@ -1317,17 +1390,22 @@ const ( ) // EtcdSpec specifies configuration for a control plane etcd cluster. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.managed) || has(self.managed)", message="managed is required once set" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.unmanaged) || has(self.unmanaged)", message="unmanaged is required once set" type EtcdSpec struct { // ManagementType defines how the etcd cluster is managed. // // +unionDiscriminator // +immutable + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="managementType is immutable" ManagementType EtcdManagementType `json:"managementType"` // Managed specifies the behavior of an etcd cluster managed by HyperShift. // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="managed is immutable" Managed *ManagedEtcdSpec `json:"managed,omitempty"` // Unmanaged specifies configuration which enables the control plane to @@ -1335,6 +1413,8 @@ type EtcdSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="unmanaged is immutable" Unmanaged *UnmanagedEtcdSpec `json:"unmanaged,omitempty"` } @@ -1360,11 +1440,13 @@ var ( ) // ManagedEtcdStorageSpec describes the storage configuration for etcd data. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.restoreSnapshotURL) || has(self.restoreSnapshotURL)", message="restoreSnapshotURL is required once set" type ManagedEtcdStorageSpec struct { // Type is the kind of persistent storage implementation to use for etcd. // // +immutable // +unionDiscriminator + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="type is immutable" Type ManagedEtcdStorageType `json:"type"` // PersistentVolume is the configuration for PersistentVolume etcd storage. @@ -1383,11 +1465,14 @@ type ManagedEtcdStorageSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="restoreSnapshotURL is immutable" RestoreSnapshotURL []string `json:"restoreSnapshotURL"` } // PersistentVolumeEtcdStorageSpec is the configuration for PersistentVolume // etcd storage. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.storageClassName) || has(self.storageClassName)", message="storageClassName is required once set" type PersistentVolumeEtcdStorageSpec struct { // StorageClassName is the StorageClass of the data volume for each etcd member. // @@ -1395,6 +1480,8 @@ type PersistentVolumeEtcdStorageSpec struct { // // +optional // +immutable + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="storageClassName is immutable" StorageClassName *string `json:"storageClassName,omitempty"` // Size is the minimum size of the data volume for each etcd member. @@ -1499,6 +1586,7 @@ type IBMCloudKMSKeyEntry struct { // CorrelationID is an identifier used to track all api call usage from hypershift CorrelationID string `json:"correlationID"` // URL is the url to call key protect apis over + // +kubebuilder:validation:Format=uri // +kubebuilder:validation:Pattern=`^https://` URL string `json:"url"` // KeyVersion is a unique number associated with the key. The number increments whenever a new diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index 5ad9208722a..cbca7e97fb5 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -3432,6 +3432,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: auditWebhook is immutable + rule: self == oldSelf autoscaling: description: Autoscaling specifies auto-scaling behavior that applies to all NodePools associated with the control plane. @@ -3473,8 +3476,12 @@ spec: identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. If a value is not specified, an ID is generated. After initial creation, the value is immutable. + maxLength: 40 pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' type: string + x-kubernetes-validations: + - message: clusterID is immutable + rule: self == oldSelf configuration: description: Configuration specifies configuration for individual OCP components in the cluster, represented as embedded resources @@ -5219,21 +5226,33 @@ spec: policy applied to critical control plane components. The default value is SingleReplica. type: string + x-kubernetes-validations: + - message: controllerAvailabilityPolicy is immutable + rule: self == oldSelf dns: description: DNS specifies DNS configuration for the cluster. properties: baseDomain: description: BaseDomain is the base domain of the cluster. type: string + x-kubernetes-validations: + - message: baseDomain is immutable + rule: self == oldSelf privateZoneID: description: PrivateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. type: string + x-kubernetes-validations: + - message: privateZoneID is immutable + rule: self == oldSelf publicZoneID: description: PublicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. type: string + x-kubernetes-validations: + - message: publicZoneID is immutable + rule: self == oldSelf required: - baseDomain type: object @@ -5277,7 +5296,13 @@ spec: of the data volume for each etcd member. \n See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1." type: string + x-kubernetes-validations: + - message: storageClassName is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: storageClassName is required once set + rule: '!has(oldSelf.storageClassName) || has(self.storageClassName)' restoreSnapshotURL: description: RestoreSnapshotURL allows an optional list of URLs to be provided where an etcd snapshot can be @@ -5288,24 +5313,39 @@ spec: items: type: string type: array + x-kubernetes-validations: + - message: restoreSnapshotURL is immutable + rule: self == oldSelf type: description: Type is the kind of persistent storage implementation to use for etcd. enum: - PersistentVolume type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: restoreSnapshotURL is required once set + rule: '!has(oldSelf.restoreSnapshotURL) || has(self.restoreSnapshotURL)' required: - storage type: object + x-kubernetes-validations: + - message: managed is immutable + rule: self == oldSelf managementType: description: ManagementType defines how the etcd cluster is managed. enum: - Managed - Unmanaged type: string + x-kubernetes-validations: + - message: managementType is immutable + rule: self == oldSelf unmanaged: description: Unmanaged specifies configuration which enables the control plane to integrate with an eternally managed etcd cluster. @@ -5342,15 +5382,26 @@ spec: - endpoint - tls type: object + x-kubernetes-validations: + - message: unmanaged is immutable + rule: self == oldSelf required: - managementType type: object + x-kubernetes-validations: + - message: managed is required once set + rule: '!has(oldSelf.managed) || has(self.managed)' + - message: unmanaged is required once set + rule: '!has(oldSelf.unmanaged) || has(self.unmanaged)' fips: description: FIPS indicates whether this cluster's nodes will be running in FIPS mode. If set to true, the control plane's ignition server will be configured to expect that nodes joining the cluster will be FIPS-enabled. type: boolean + x-kubernetes-validations: + - message: fips is immutable + rule: self == oldSelf imageContentSources: description: ImageContentSources specifies image mirrors that can be used by cluster nodes to pull content. @@ -5371,21 +5422,31 @@ spec: description: Source is the repository that users refer to, e.g. in image pull specifications. type: string + x-kubernetes-validations: + - message: source is immutable + rule: self == oldSelf required: - source type: object + maxItems: 8 type: array infraID: description: InfraID is a globally unique identifier for the cluster. This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. type: string + x-kubernetes-validations: + - message: infraID is immutable + rule: self == oldSelf infrastructureAvailabilityPolicy: default: SingleReplica description: InfrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on cluster nodes. The default value is SingleReplica. type: string + x-kubernetes-validations: + - message: infrastructureAvailabilityPolicy is immutable + rule: self == oldSelf issuerURL: default: https://kubernetes.default.svc description: IssuerURL is an OIDC issuer URL which is used as the @@ -5394,6 +5455,9 @@ spec: works for in-cluster validation. format: uri type: string + x-kubernetes-validations: + - message: issuerURL is immutable + rule: self == oldSelf networking: description: Networking specifies network configuration for the cluster. properties: @@ -5424,6 +5488,9 @@ spec: format: int32 type: integer type: object + x-kubernetes-validations: + - message: apiServer is immutable + rule: self == oldSelf clusterNetwork: description: ClusterNetwork is the list of IP address pools for pods. @@ -5445,6 +5512,9 @@ spec: - cidr type: object type: array + x-kubernetes-validations: + - message: clusterNetwork is immutable + rule: self == oldSelf machineNetwork: description: MachineNetwork is the list of IP address pools for machines. @@ -5460,6 +5530,9 @@ spec: - cidr type: object type: array + x-kubernetes-validations: + - message: machineNetwork is immutable + rule: self == oldSelf networkType: default: OVNKubernetes description: NetworkType specifies the SDN provider used for cluster @@ -5470,6 +5543,9 @@ spec: - OVNKubernetes - Other type: string + x-kubernetes-validations: + - message: networkType is immutable + rule: self == oldSelf serviceNetwork: description: 'ServiceNetwork is the list of IP address pools for services. NOTE: currently only one entry is supported.' @@ -5489,6 +5565,9 @@ spec: - clusterNetwork - networkType type: object + x-kubernetes-validations: + - message: machineNetwork is required once set + rule: '!has(oldSelf.machineNetwork) || has(self.machineNetwork)' nodeSelector: additionalProperties: type: string @@ -5526,6 +5605,9 @@ spec: required: - agentNamespace type: object + x-kubernetes-validations: + - message: agent is immutable + rule: self == oldSelf aws: description: AWS specifies configuration for clusters running on Amazon Web Services. @@ -5581,6 +5663,9 @@ spec: required: - vpc type: object + x-kubernetes-validations: + - message: cloudProviderConfig is immutable + rule: self == oldSelf endpointAccess: default: Public description: EndpointAccess specifies the publishing scope @@ -5596,6 +5681,9 @@ spec: and is used by NodePool to resolve the correct boot AMI for a given release. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceTags: description: ResourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html @@ -5644,6 +5732,9 @@ spec: [ \"route53:ChangeResourceRecordSets\", \"route53:ListResourceRecordSets\" ], \"Resource\": \"arn:aws:route53:::%s\" } ] }" type: string + x-kubernetes-validations: + - message: controlPlaneOperatorARN is immutable + rule: self == oldSelf imageRegistryARN: description: "ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. @@ -5713,6 +5804,9 @@ spec: ], \"Resource\": [ \"*\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: kubeCloudControllerARN is immutable + rule: self == oldSelf networkARN: description: "NetworkARN is an ARN value referencing a role appropriate for the Network Operator. \n The following @@ -5760,6 +5854,9 @@ spec: ], \"Resource\": [ \"arn:*:iam::*:role/*-worker-role\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: nodePoolManagementARN is immutable + rule: self == oldSelf storageARN: description: "StorageARN is an ARN value referencing a role appropriate for the Storage Operator. \n The following @@ -5781,6 +5878,9 @@ spec: - nodePoolManagementARN - storageARN type: object + x-kubernetes-validations: + - message: rolesRef is immutable + rule: self == oldSelf serviceEndpoints: description: "ServiceEndpoints specifies optional custom endpoints which will override the default service endpoint of specific @@ -5806,10 +5906,18 @@ spec: - url type: object type: array + x-kubernetes-validations: + - message: serviceEndpoints is immutable + rule: self == oldSelf required: - region - rolesRef type: object + x-kubernetes-validations: + - message: cloudProviderConfig is required once set + rule: '!has(oldSelf.cloudProviderConfig) || has(self.cloudProviderConfig)' + - message: serviceEndpoints is required once set + rule: '!has(oldSelf.serviceEndpoints) || has(self.serviceEndpoints)' azure: description: Azure defines azure specific settings properties: @@ -5868,12 +5976,18 @@ spec: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: accountID is immutable + rule: self == oldSelf cisInstanceCRN: description: CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name This field is immutable. Once set, It can't be changed. pattern: '^crn:' type: string + x-kubernetes-validations: + - message: cisInstanceCRN is immutable + rule: self == oldSelf ingressOperatorCloudCreds: description: IngressOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for ingress operator @@ -5885,6 +5999,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: ingressOperatorCloudCreds is immutable + rule: self == oldSelf kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions matching @@ -5898,6 +6015,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: kubeCloudControllerCreds is immutable + rule: self == oldSelf nodePoolManagementCreds: description: "NodePoolManagementCreds is a reference to a secret containing cloud credentials with permissions matching @@ -5911,6 +6031,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: nodePoolManagementCreds is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which the cluster resides. This configures the OCP control plane cloud integrations, @@ -5918,11 +6041,17 @@ spec: for a given release. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceGroup: description: ResourceGroup is the IBMCloud Resource Group in which the cluster resides. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: resourceGroup is immutable + rule: self == oldSelf serviceInstanceID: description: "ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. @@ -5934,6 +6063,9 @@ spec: instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server \n This field is immutable. Once set, It can't be changed." type: string + x-kubernetes-validations: + - message: serviceInstanceID is immutable + rule: self == oldSelf storageOperatorCloudCreds: description: StorageOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for storage operator @@ -5945,6 +6077,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: storageOperatorCloudCreds is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for control plane cloud resources. This field is immutable. Once set, It can't @@ -5957,6 +6092,9 @@ spec: description: Name of resource type: string type: object + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf vpc: description: VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control plane. This field is immutable. @@ -5967,30 +6105,50 @@ spec: load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic into the OCP cluster. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf zone: description: Zone is the availability zone where load balancer cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - name - region type: object + x-kubernetes-validations: + - message: zone is required once set + rule: '!has(oldSelf.zone) || has(self.zone)' + - message: subnet is required once set + rule: '!has(oldSelf.subnet) || has(self.subnet)' zone: description: Zone is the availability zone where control plane cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - accountID - cisInstanceCRN @@ -6017,9 +6175,17 @@ spec: - Azure - PowerVS type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: agent is required once set + rule: '!has(oldSelf.agent) || has(self.agent)' + - message: powervs is required once set + rule: '!has(oldSelf.powervs) || has(self.powervs)' pullSecret: description: PullSecret references a pull secret to be injected into the container runtime of all cluster nodes. The secret must have @@ -6213,6 +6379,7 @@ spec: url: description: URL is the url to call key protect apis over + format: uri pattern: ^https:// type: string required: @@ -6264,6 +6431,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serviceAccountSigningKey is immutable + rule: self == oldSelf services: description: "Services specifies how individual control plane services are published from the hosting cluster of the control plane. \n @@ -6275,7 +6445,8 @@ spec: of a control plane. properties: service: - description: Service identifies the type of service being published. + description: "Service identifies the type of service being published. + \n Set as immutable on the ServiceType declaration" enum: - APIServer - OAuthServer @@ -6324,8 +6495,9 @@ spec: type: string type: object type: - description: Type is the publishing strategy used for the - service. + description: "Type is the publishing strategy used for the + service. \n Set as immutable on the PublishingStrategyType + declaration" enum: - LoadBalancer - NodePort @@ -6335,10 +6507,16 @@ spec: required: - type type: object + x-kubernetes-validations: + - message: type is immutable + rule: oldSelf.type == self.type required: - service - servicePublishingStrategy type: object + x-kubernetes-validations: + - message: service is immutable + rule: oldSelf.service == self.service type: array sshKey: description: SSHKey references an SSH key to be injected into all @@ -6351,6 +6529,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: sshKey is immutable + rule: self == oldSelf required: - networking - platform @@ -6359,6 +6540,19 @@ spec: - services - sshKey type: object + x-kubernetes-validations: + - message: clusterID is required once set + rule: '!has(oldSelf.clusterID) || has(self.clusterID)' + - message: infraID is required once set + rule: '!has(oldSelf.infraID) || has(self.infraID)' + - message: serviceAccountSigningKey is required once set + rule: '!has(oldSelf.serviceAccountSigningKey) || has(self.serviceAccountSigningKey)' + - message: auditWebhook is required once set + rule: '!has(oldSelf.auditWebhook) || has(self.auditWebhook)' + - message: imageContentSources is required once set + rule: '!has(oldSelf.imageContentSources) || has(self.imageContentSources)' + - message: fips is required once set + rule: '!has(oldSelf.fips) || has(self.fips)' status: description: Status is the latest observed status of the HostedCluster. properties: diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index 2717957af73..d5a057ca5e8 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -5116,15 +5116,24 @@ spec: baseDomain: description: BaseDomain is the base domain of the cluster. type: string + x-kubernetes-validations: + - message: baseDomain is immutable + rule: self == oldSelf privateZoneID: description: PrivateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. type: string + x-kubernetes-validations: + - message: privateZoneID is immutable + rule: self == oldSelf publicZoneID: description: PublicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. type: string + x-kubernetes-validations: + - message: publicZoneID is immutable + rule: self == oldSelf required: - baseDomain type: object @@ -5160,7 +5169,13 @@ spec: of the data volume for each etcd member. \n See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1." type: string + x-kubernetes-validations: + - message: storageClassName is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: storageClassName is required once set + rule: '!has(oldSelf.storageClassName) || has(self.storageClassName)' restoreSnapshotURL: description: RestoreSnapshotURL allows an optional list of URLs to be provided where an etcd snapshot can be @@ -5171,24 +5186,39 @@ spec: items: type: string type: array + x-kubernetes-validations: + - message: restoreSnapshotURL is immutable + rule: self == oldSelf type: description: Type is the kind of persistent storage implementation to use for etcd. enum: - PersistentVolume type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: restoreSnapshotURL is required once set + rule: '!has(oldSelf.restoreSnapshotURL) || has(self.restoreSnapshotURL)' required: - storage type: object + x-kubernetes-validations: + - message: managed is immutable + rule: self == oldSelf managementType: description: ManagementType defines how the etcd cluster is managed. enum: - Managed - Unmanaged type: string + x-kubernetes-validations: + - message: managementType is immutable + rule: self == oldSelf unmanaged: description: Unmanaged specifies configuration which enables the control plane to integrate with an eternally managed etcd cluster. @@ -5225,9 +5255,17 @@ spec: - endpoint - tls type: object + x-kubernetes-validations: + - message: unmanaged is immutable + rule: self == oldSelf required: - managementType type: object + x-kubernetes-validations: + - message: managed is required once set + rule: '!has(oldSelf.managed) || has(self.managed)' + - message: unmanaged is required once set + rule: '!has(oldSelf.unmanaged) || has(self.unmanaged)' fips: description: FIPS specifies if the nodes for the cluster will be running in FIPS mode @@ -5252,6 +5290,9 @@ spec: description: Source is the repository that users refer to, e.g. in image pull specifications. type: string + x-kubernetes-validations: + - message: source is immutable + rule: self == oldSelf required: - source type: object @@ -5310,6 +5351,9 @@ spec: format: int32 type: integer type: object + x-kubernetes-validations: + - message: apiServer is immutable + rule: self == oldSelf clusterNetwork: description: ClusterNetwork is the list of IP address pools for pods. @@ -5331,6 +5375,9 @@ spec: - cidr type: object type: array + x-kubernetes-validations: + - message: clusterNetwork is immutable + rule: self == oldSelf machineNetwork: description: MachineNetwork is the list of IP address pools for machines. @@ -5346,6 +5393,9 @@ spec: - cidr type: object type: array + x-kubernetes-validations: + - message: machineNetwork is immutable + rule: self == oldSelf networkType: default: OVNKubernetes description: NetworkType specifies the SDN provider used for cluster @@ -5356,6 +5406,9 @@ spec: - OVNKubernetes - Other type: string + x-kubernetes-validations: + - message: networkType is immutable + rule: self == oldSelf serviceNetwork: description: 'ServiceNetwork is the list of IP address pools for services. NOTE: currently only one entry is supported.' @@ -5375,6 +5428,9 @@ spec: - clusterNetwork - networkType type: object + x-kubernetes-validations: + - message: machineNetwork is required once set + rule: '!has(oldSelf.machineNetwork) || has(self.machineNetwork)' nodeSelector: additionalProperties: type: string @@ -5413,6 +5469,9 @@ spec: required: - agentNamespace type: object + x-kubernetes-validations: + - message: agent is immutable + rule: self == oldSelf aws: description: AWS specifies configuration for clusters running on Amazon Web Services. @@ -5468,6 +5527,9 @@ spec: required: - vpc type: object + x-kubernetes-validations: + - message: cloudProviderConfig is immutable + rule: self == oldSelf endpointAccess: default: Public description: EndpointAccess specifies the publishing scope @@ -5483,6 +5545,9 @@ spec: and is used by NodePool to resolve the correct boot AMI for a given release. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceTags: description: ResourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html @@ -5531,6 +5596,9 @@ spec: [ \"route53:ChangeResourceRecordSets\", \"route53:ListResourceRecordSets\" ], \"Resource\": \"arn:aws:route53:::%s\" } ] }" type: string + x-kubernetes-validations: + - message: controlPlaneOperatorARN is immutable + rule: self == oldSelf imageRegistryARN: description: "ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. @@ -5600,6 +5668,9 @@ spec: ], \"Resource\": [ \"*\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: kubeCloudControllerARN is immutable + rule: self == oldSelf networkARN: description: "NetworkARN is an ARN value referencing a role appropriate for the Network Operator. \n The following @@ -5647,6 +5718,9 @@ spec: ], \"Resource\": [ \"arn:*:iam::*:role/*-worker-role\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: nodePoolManagementARN is immutable + rule: self == oldSelf storageARN: description: "StorageARN is an ARN value referencing a role appropriate for the Storage Operator. \n The following @@ -5668,6 +5742,9 @@ spec: - nodePoolManagementARN - storageARN type: object + x-kubernetes-validations: + - message: rolesRef is immutable + rule: self == oldSelf serviceEndpoints: description: "ServiceEndpoints specifies optional custom endpoints which will override the default service endpoint of specific @@ -5693,10 +5770,18 @@ spec: - url type: object type: array + x-kubernetes-validations: + - message: serviceEndpoints is immutable + rule: self == oldSelf required: - region - rolesRef type: object + x-kubernetes-validations: + - message: cloudProviderConfig is required once set + rule: '!has(oldSelf.cloudProviderConfig) || has(self.cloudProviderConfig)' + - message: serviceEndpoints is required once set + rule: '!has(oldSelf.serviceEndpoints) || has(self.serviceEndpoints)' azure: description: Azure defines azure specific settings properties: @@ -5755,12 +5840,18 @@ spec: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: accountID is immutable + rule: self == oldSelf cisInstanceCRN: description: CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name This field is immutable. Once set, It can't be changed. pattern: '^crn:' type: string + x-kubernetes-validations: + - message: cisInstanceCRN is immutable + rule: self == oldSelf ingressOperatorCloudCreds: description: IngressOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for ingress operator @@ -5772,6 +5863,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: ingressOperatorCloudCreds is immutable + rule: self == oldSelf kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions matching @@ -5785,6 +5879,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: kubeCloudControllerCreds is immutable + rule: self == oldSelf nodePoolManagementCreds: description: "NodePoolManagementCreds is a reference to a secret containing cloud credentials with permissions matching @@ -5798,6 +5895,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: nodePoolManagementCreds is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which the cluster resides. This configures the OCP control plane cloud integrations, @@ -5805,11 +5905,17 @@ spec: for a given release. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceGroup: description: ResourceGroup is the IBMCloud Resource Group in which the cluster resides. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: resourceGroup is immutable + rule: self == oldSelf serviceInstanceID: description: "ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. @@ -5821,6 +5927,9 @@ spec: instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server \n This field is immutable. Once set, It can't be changed." type: string + x-kubernetes-validations: + - message: serviceInstanceID is immutable + rule: self == oldSelf storageOperatorCloudCreds: description: StorageOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for storage operator @@ -5832,6 +5941,9 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: storageOperatorCloudCreds is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for control plane cloud resources. This field is immutable. Once set, It can't @@ -5844,6 +5956,9 @@ spec: description: Name of resource type: string type: object + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf vpc: description: VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control plane. This field is immutable. @@ -5854,30 +5969,50 @@ spec: load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic into the OCP cluster. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf zone: description: Zone is the availability zone where load balancer cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - name - region type: object + x-kubernetes-validations: + - message: zone is required once set + rule: '!has(oldSelf.zone) || has(self.zone)' + - message: subnet is required once set + rule: '!has(oldSelf.subnet) || has(self.subnet)' zone: description: Zone is the availability zone where control plane cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - accountID - cisInstanceCRN @@ -5904,9 +6039,17 @@ spec: - Azure - PowerVS type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: agent is required once set + rule: '!has(oldSelf.agent) || has(self.agent)' + - message: powervs is required once set + rule: '!has(oldSelf.powervs) || has(self.powervs)' pullSecret: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. @@ -6087,6 +6230,7 @@ spec: url: description: URL is the url to call key protect apis over + format: uri pattern: ^https:// type: string required: @@ -6146,7 +6290,8 @@ spec: of a control plane. properties: service: - description: Service identifies the type of service being published. + description: "Service identifies the type of service being published. + \n Set as immutable on the ServiceType declaration" enum: - APIServer - OAuthServer @@ -6195,8 +6340,9 @@ spec: type: string type: object type: - description: Type is the publishing strategy used for the - service. + description: "Type is the publishing strategy used for the + service. \n Set as immutable on the PublishingStrategyType + declaration" enum: - LoadBalancer - NodePort @@ -6206,10 +6352,16 @@ spec: required: - type type: object + x-kubernetes-validations: + - message: type is immutable + rule: oldSelf.type == self.type required: - service - servicePublishingStrategy type: object + x-kubernetes-validations: + - message: service is immutable + rule: oldSelf.service == self.service type: array sshKey: description: LocalObjectReference contains enough information to let diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 1433ff3d62f..7763e2d9c29 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -23853,6 +23853,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: auditWebhook is immutable + rule: self == oldSelf autoscaling: description: Autoscaling specifies auto-scaling behavior that applies to all NodePools associated with the control plane. @@ -23894,8 +23897,12 @@ objects: identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. If a value is not specified, an ID is generated. After initial creation, the value is immutable. + maxLength: 40 pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' type: string + x-kubernetes-validations: + - message: clusterID is immutable + rule: self == oldSelf configuration: description: Configuration specifies configuration for individual OCP components in the cluster, represented as embedded resources @@ -25675,21 +25682,33 @@ objects: policy applied to critical control plane components. The default value is SingleReplica. type: string + x-kubernetes-validations: + - message: controllerAvailabilityPolicy is immutable + rule: self == oldSelf dns: description: DNS specifies DNS configuration for the cluster. properties: baseDomain: description: BaseDomain is the base domain of the cluster. type: string + x-kubernetes-validations: + - message: baseDomain is immutable + rule: self == oldSelf privateZoneID: description: PrivateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. type: string + x-kubernetes-validations: + - message: privateZoneID is immutable + rule: self == oldSelf publicZoneID: description: PublicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. type: string + x-kubernetes-validations: + - message: publicZoneID is immutable + rule: self == oldSelf required: - baseDomain type: object @@ -25733,7 +25752,13 @@ objects: of the data volume for each etcd member. \n See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1." type: string + x-kubernetes-validations: + - message: storageClassName is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: storageClassName is required once set + rule: '!has(oldSelf.storageClassName) || has(self.storageClassName)' restoreSnapshotURL: description: RestoreSnapshotURL allows an optional list of URLs to be provided where an etcd snapshot can @@ -25744,18 +25769,30 @@ objects: items: type: string type: array + x-kubernetes-validations: + - message: restoreSnapshotURL is immutable + rule: self == oldSelf type: description: Type is the kind of persistent storage implementation to use for etcd. enum: - PersistentVolume type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: restoreSnapshotURL is required once set + rule: '!has(oldSelf.restoreSnapshotURL) || has(self.restoreSnapshotURL)' required: - storage type: object + x-kubernetes-validations: + - message: managed is immutable + rule: self == oldSelf managementType: description: ManagementType defines how the etcd cluster is managed. @@ -25763,6 +25800,9 @@ objects: - Managed - Unmanaged type: string + x-kubernetes-validations: + - message: managementType is immutable + rule: self == oldSelf unmanaged: description: Unmanaged specifies configuration which enables the control plane to integrate with an eternally managed etcd @@ -25800,15 +25840,26 @@ objects: - endpoint - tls type: object + x-kubernetes-validations: + - message: unmanaged is immutable + rule: self == oldSelf required: - managementType type: object + x-kubernetes-validations: + - message: managed is required once set + rule: '!has(oldSelf.managed) || has(self.managed)' + - message: unmanaged is required once set + rule: '!has(oldSelf.unmanaged) || has(self.unmanaged)' fips: description: FIPS indicates whether this cluster's nodes will be running in FIPS mode. If set to true, the control plane's ignition server will be configured to expect that nodes joining the cluster will be FIPS-enabled. type: boolean + x-kubernetes-validations: + - message: fips is immutable + rule: self == oldSelf imageContentSources: description: ImageContentSources specifies image mirrors that can be used by cluster nodes to pull content. @@ -25825,25 +25876,44 @@ objects: items: type: string type: array + x-kubernetes-validations: + - message: mirrors is immutable + rule: self == oldSelf source: description: Source is the repository that users refer to, e.g. in image pull specifications. type: string + x-kubernetes-validations: + - message: source is immutable + rule: self == oldSelf required: - source type: object + x-kubernetes-validations: + - message: mirrors is required once set + rule: '!has(oldSelf.mirrors) || has(self.mirrors)' + maxItems: 8 type: array + x-kubernetes-validations: + - message: imageContentSources is immutable + rule: self == oldSelf infraID: description: InfraID is a globally unique identifier for the cluster. This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. type: string + x-kubernetes-validations: + - message: infraID is immutable + rule: self == oldSelf infrastructureAvailabilityPolicy: default: SingleReplica description: InfrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on cluster nodes. The default value is SingleReplica. type: string + x-kubernetes-validations: + - message: infrastructureAvailabilityPolicy is immutable + rule: self == oldSelf issuerURL: default: https://kubernetes.default.svc description: IssuerURL is an OIDC issuer URL which is used as the @@ -25852,6 +25922,9 @@ objects: only works for in-cluster validation. format: uri type: string + x-kubernetes-validations: + - message: issuerURL is immutable + rule: self == oldSelf networking: description: Networking specifies network configuration for the cluster. @@ -25884,6 +25957,9 @@ objects: format: int32 type: integer type: object + x-kubernetes-validations: + - message: apiServer is immutable + rule: self == oldSelf clusterNetwork: description: ClusterNetwork is the list of IP address pools for pods. @@ -25905,6 +25981,9 @@ objects: - cidr type: object type: array + x-kubernetes-validations: + - message: clusterNetwork is immutable + rule: self == oldSelf machineNetwork: description: MachineNetwork is the list of IP address pools for machines. @@ -25920,6 +25999,9 @@ objects: - cidr type: object type: array + x-kubernetes-validations: + - message: machineNetwork is immutable + rule: self == oldSelf networkType: default: OVNKubernetes description: NetworkType specifies the SDN provider used for @@ -25930,6 +26012,9 @@ objects: - OVNKubernetes - Other type: string + x-kubernetes-validations: + - message: networkType is immutable + rule: self == oldSelf serviceNetwork: description: 'ServiceNetwork is the list of IP address pools for services. NOTE: currently only one entry is supported.' @@ -25949,6 +26034,9 @@ objects: - clusterNetwork - networkType type: object + x-kubernetes-validations: + - message: machineNetwork is required once set + rule: '!has(oldSelf.machineNetwork) || has(self.machineNetwork)' nodeSelector: additionalProperties: type: string @@ -25987,6 +26075,9 @@ objects: required: - agentNamespace type: object + x-kubernetes-validations: + - message: agent is immutable + rule: self == oldSelf aws: description: AWS specifies configuration for clusters running on Amazon Web Services. @@ -26042,6 +26133,9 @@ objects: required: - vpc type: object + x-kubernetes-validations: + - message: cloudProviderConfig is immutable + rule: self == oldSelf endpointAccess: default: Public description: EndpointAccess specifies the publishing scope @@ -26057,6 +26151,9 @@ objects: and is used by NodePool to resolve the correct boot AMI for a given release. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceTags: description: ResourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html @@ -26107,6 +26204,9 @@ objects: [ \"route53:ChangeResourceRecordSets\", \"route53:ListResourceRecordSets\" ], \"Resource\": \"arn:aws:route53:::%s\" } ] }" type: string + x-kubernetes-validations: + - message: controlPlaneOperatorARN is immutable + rule: self == oldSelf imageRegistryARN: description: "ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. @@ -26179,6 +26279,9 @@ objects: ], \"Resource\": [ \"*\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: kubeCloudControllerARN is immutable + rule: self == oldSelf networkARN: description: "NetworkARN is an ARN value referencing a role appropriate for the Network Operator. \n The @@ -26228,6 +26331,9 @@ objects: ], \"Resource\": [ \"arn:*:iam::*:role/*-worker-role\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: nodePoolManagementARN is immutable + rule: self == oldSelf storageARN: description: "StorageARN is an ARN value referencing a role appropriate for the Storage Operator. \n The @@ -26250,6 +26356,9 @@ objects: - nodePoolManagementARN - storageARN type: object + x-kubernetes-validations: + - message: rolesRef is immutable + rule: self == oldSelf serviceEndpoints: description: "ServiceEndpoints specifies optional custom endpoints which will override the default service endpoint @@ -26275,10 +26384,18 @@ objects: - url type: object type: array + x-kubernetes-validations: + - message: serviceEndpoints is immutable + rule: self == oldSelf required: - region - rolesRef type: object + x-kubernetes-validations: + - message: cloudProviderConfig is required once set + rule: '!has(oldSelf.cloudProviderConfig) || has(self.cloudProviderConfig)' + - message: serviceEndpoints is required once set + rule: '!has(oldSelf.serviceEndpoints) || has(self.serviceEndpoints)' azure: description: Azure defines azure specific settings properties: @@ -26338,12 +26455,18 @@ objects: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: accountID is immutable + rule: self == oldSelf cisInstanceCRN: description: CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name This field is immutable. Once set, It can't be changed. pattern: '^crn:' type: string + x-kubernetes-validations: + - message: cisInstanceCRN is immutable + rule: self == oldSelf ingressOperatorCloudCreds: description: IngressOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for ingress @@ -26355,6 +26478,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: ingressOperatorCloudCreds is immutable + rule: self == oldSelf kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions @@ -26368,6 +26494,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: kubeCloudControllerCreds is immutable + rule: self == oldSelf nodePoolManagementCreds: description: "NodePoolManagementCreds is a reference to a secret containing cloud credentials with permissions @@ -26381,6 +26510,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: nodePoolManagementCreds is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which the cluster resides. This configures the OCP control plane @@ -26388,11 +26520,17 @@ objects: the correct boot image for a given release. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceGroup: description: ResourceGroup is the IBMCloud Resource Group in which the cluster resides. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: resourceGroup is immutable + rule: self == oldSelf serviceInstanceID: description: "ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. @@ -26404,6 +26542,9 @@ objects: VS service instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server \n This field is immutable. Once set, It can't be changed." type: string + x-kubernetes-validations: + - message: serviceInstanceID is immutable + rule: self == oldSelf storageOperatorCloudCreds: description: StorageOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for storage @@ -26415,6 +26556,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: storageOperatorCloudCreds is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for control plane cloud resources. This field is immutable. Once set, It @@ -26427,6 +26571,9 @@ objects: description: Name of resource type: string type: object + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf vpc: description: VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control plane. This field is immutable. @@ -26437,30 +26584,50 @@ objects: load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic into the OCP cluster. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf zone: description: Zone is the availability zone where load balancer cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - name - region type: object + x-kubernetes-validations: + - message: zone is required once set + rule: '!has(oldSelf.zone) || has(self.zone)' + - message: subnet is required once set + rule: '!has(oldSelf.subnet) || has(self.subnet)' zone: description: Zone is the availability zone where control plane cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - accountID - cisInstanceCRN @@ -26487,9 +26654,17 @@ objects: - Azure - PowerVS type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: agent is required once set + rule: '!has(oldSelf.agent) || has(self.agent)' + - message: powervs is required once set + rule: '!has(oldSelf.powervs) || has(self.powervs)' pullSecret: description: PullSecret references a pull secret to be injected into the container runtime of all cluster nodes. The secret must @@ -26685,6 +26860,7 @@ objects: url: description: URL is the url to call key protect apis over + format: uri pattern: ^https:// type: string required: @@ -26736,6 +26912,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serviceAccountSigningKey is immutable + rule: self == oldSelf services: description: "Services specifies how individual control plane services are published from the hosting cluster of the control plane. \n @@ -26747,8 +26926,8 @@ objects: of a control plane. properties: service: - description: Service identifies the type of service being - published. + description: "Service identifies the type of service being + published. \n Set as immutable on the ServiceType declaration" enum: - APIServer - OAuthServer @@ -26757,6 +26936,9 @@ objects: - Ignition - OVNSbDb type: string + x-kubernetes-validations: + - message: service is immutable + rule: self == oldSelf servicePublishingStrategy: description: ServicePublishingStrategy specifies how to publish Service. @@ -26797,14 +26979,18 @@ objects: type: string type: object type: - description: Type is the publishing strategy used for - the service. + description: "Type is the publishing strategy used for + the service. \n Set as immutable on the PublishingStrategyType + declaration" enum: - LoadBalancer - NodePort - Route - None type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object @@ -26824,6 +27010,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: sshKey is immutable + rule: self == oldSelf required: - networking - platform @@ -26832,6 +27021,19 @@ objects: - services - sshKey type: object + x-kubernetes-validations: + - message: clusterID is required once set + rule: '!has(oldSelf.clusterID) || has(self.clusterID)' + - message: infraID is required once set + rule: '!has(oldSelf.infraID) || has(self.infraID)' + - message: serviceAccountSigningKey is required once set + rule: '!has(oldSelf.serviceAccountSigningKey) || has(self.serviceAccountSigningKey)' + - message: auditWebhook is required once set + rule: '!has(oldSelf.auditWebhook) || has(self.auditWebhook)' + - message: imageContentSources is required once set + rule: '!has(oldSelf.imageContentSources) || has(self.imageContentSources)' + - message: fips is required once set + rule: '!has(oldSelf.fips) || has(self.fips)' status: description: Status is the latest observed status of the HostedCluster. properties: @@ -32291,15 +32493,24 @@ objects: baseDomain: description: BaseDomain is the base domain of the cluster. type: string + x-kubernetes-validations: + - message: baseDomain is immutable + rule: self == oldSelf privateZoneID: description: PrivateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. type: string + x-kubernetes-validations: + - message: privateZoneID is immutable + rule: self == oldSelf publicZoneID: description: PublicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. type: string + x-kubernetes-validations: + - message: publicZoneID is immutable + rule: self == oldSelf required: - baseDomain type: object @@ -32335,7 +32546,13 @@ objects: of the data volume for each etcd member. \n See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1." type: string + x-kubernetes-validations: + - message: storageClassName is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: storageClassName is required once set + rule: '!has(oldSelf.storageClassName) || has(self.storageClassName)' restoreSnapshotURL: description: RestoreSnapshotURL allows an optional list of URLs to be provided where an etcd snapshot can @@ -32346,18 +32563,30 @@ objects: items: type: string type: array + x-kubernetes-validations: + - message: restoreSnapshotURL is immutable + rule: self == oldSelf type: description: Type is the kind of persistent storage implementation to use for etcd. enum: - PersistentVolume type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: restoreSnapshotURL is required once set + rule: '!has(oldSelf.restoreSnapshotURL) || has(self.restoreSnapshotURL)' required: - storage type: object + x-kubernetes-validations: + - message: managed is immutable + rule: self == oldSelf managementType: description: ManagementType defines how the etcd cluster is managed. @@ -32365,6 +32594,9 @@ objects: - Managed - Unmanaged type: string + x-kubernetes-validations: + - message: managementType is immutable + rule: self == oldSelf unmanaged: description: Unmanaged specifies configuration which enables the control plane to integrate with an eternally managed etcd @@ -32402,9 +32634,17 @@ objects: - endpoint - tls type: object + x-kubernetes-validations: + - message: unmanaged is immutable + rule: self == oldSelf required: - managementType type: object + x-kubernetes-validations: + - message: managed is required once set + rule: '!has(oldSelf.managed) || has(self.managed)' + - message: unmanaged is required once set + rule: '!has(oldSelf.unmanaged) || has(self.unmanaged)' fips: description: FIPS specifies if the nodes for the cluster will be running in FIPS mode @@ -32425,13 +32665,22 @@ objects: items: type: string type: array + x-kubernetes-validations: + - message: mirrors is immutable + rule: self == oldSelf source: description: Source is the repository that users refer to, e.g. in image pull specifications. type: string + x-kubernetes-validations: + - message: source is immutable + rule: self == oldSelf required: - source type: object + x-kubernetes-validations: + - message: mirrors is required once set + rule: '!has(oldSelf.mirrors) || has(self.mirrors)' type: array infraID: type: string @@ -32488,6 +32737,9 @@ objects: format: int32 type: integer type: object + x-kubernetes-validations: + - message: apiServer is immutable + rule: self == oldSelf clusterNetwork: description: ClusterNetwork is the list of IP address pools for pods. @@ -32509,6 +32761,9 @@ objects: - cidr type: object type: array + x-kubernetes-validations: + - message: clusterNetwork is immutable + rule: self == oldSelf machineNetwork: description: MachineNetwork is the list of IP address pools for machines. @@ -32524,6 +32779,9 @@ objects: - cidr type: object type: array + x-kubernetes-validations: + - message: machineNetwork is immutable + rule: self == oldSelf networkType: default: OVNKubernetes description: NetworkType specifies the SDN provider used for @@ -32534,6 +32792,9 @@ objects: - OVNKubernetes - Other type: string + x-kubernetes-validations: + - message: networkType is immutable + rule: self == oldSelf serviceNetwork: description: 'ServiceNetwork is the list of IP address pools for services. NOTE: currently only one entry is supported.' @@ -32553,6 +32814,9 @@ objects: - clusterNetwork - networkType type: object + x-kubernetes-validations: + - message: machineNetwork is required once set + rule: '!has(oldSelf.machineNetwork) || has(self.machineNetwork)' nodeSelector: additionalProperties: type: string @@ -32592,6 +32856,9 @@ objects: required: - agentNamespace type: object + x-kubernetes-validations: + - message: agent is immutable + rule: self == oldSelf aws: description: AWS specifies configuration for clusters running on Amazon Web Services. @@ -32647,6 +32914,9 @@ objects: required: - vpc type: object + x-kubernetes-validations: + - message: cloudProviderConfig is immutable + rule: self == oldSelf endpointAccess: default: Public description: EndpointAccess specifies the publishing scope @@ -32662,6 +32932,9 @@ objects: and is used by NodePool to resolve the correct boot AMI for a given release. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceTags: description: ResourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html @@ -32712,6 +32985,9 @@ objects: [ \"route53:ChangeResourceRecordSets\", \"route53:ListResourceRecordSets\" ], \"Resource\": \"arn:aws:route53:::%s\" } ] }" type: string + x-kubernetes-validations: + - message: controlPlaneOperatorARN is immutable + rule: self == oldSelf imageRegistryARN: description: "ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. @@ -32784,6 +33060,9 @@ objects: ], \"Resource\": [ \"*\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: kubeCloudControllerARN is immutable + rule: self == oldSelf networkARN: description: "NetworkARN is an ARN value referencing a role appropriate for the Network Operator. \n The @@ -32833,6 +33112,9 @@ objects: ], \"Resource\": [ \"arn:*:iam::*:role/*-worker-role\" ], \"Effect\": \"Allow\" } ] }" type: string + x-kubernetes-validations: + - message: nodePoolManagementARN is immutable + rule: self == oldSelf storageARN: description: "StorageARN is an ARN value referencing a role appropriate for the Storage Operator. \n The @@ -32855,6 +33137,9 @@ objects: - nodePoolManagementARN - storageARN type: object + x-kubernetes-validations: + - message: rolesRef is immutable + rule: self == oldSelf serviceEndpoints: description: "ServiceEndpoints specifies optional custom endpoints which will override the default service endpoint @@ -32880,10 +33165,18 @@ objects: - url type: object type: array + x-kubernetes-validations: + - message: serviceEndpoints is immutable + rule: self == oldSelf required: - region - rolesRef type: object + x-kubernetes-validations: + - message: cloudProviderConfig is required once set + rule: '!has(oldSelf.cloudProviderConfig) || has(self.cloudProviderConfig)' + - message: serviceEndpoints is required once set + rule: '!has(oldSelf.serviceEndpoints) || has(self.serviceEndpoints)' azure: description: Azure defines azure specific settings properties: @@ -32943,12 +33236,18 @@ objects: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: accountID is immutable + rule: self == oldSelf cisInstanceCRN: description: CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name This field is immutable. Once set, It can't be changed. pattern: '^crn:' type: string + x-kubernetes-validations: + - message: cisInstanceCRN is immutable + rule: self == oldSelf ingressOperatorCloudCreds: description: IngressOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for ingress @@ -32960,6 +33259,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: ingressOperatorCloudCreds is immutable + rule: self == oldSelf kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions @@ -32973,6 +33275,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: kubeCloudControllerCreds is immutable + rule: self == oldSelf nodePoolManagementCreds: description: "NodePoolManagementCreds is a reference to a secret containing cloud credentials with permissions @@ -32986,6 +33291,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: nodePoolManagementCreds is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which the cluster resides. This configures the OCP control plane @@ -32993,11 +33301,17 @@ objects: the correct boot image for a given release. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf resourceGroup: description: ResourceGroup is the IBMCloud Resource Group in which the cluster resides. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: resourceGroup is immutable + rule: self == oldSelf serviceInstanceID: description: "ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. @@ -33009,6 +33323,9 @@ objects: VS service instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server \n This field is immutable. Once set, It can't be changed." type: string + x-kubernetes-validations: + - message: serviceInstanceID is immutable + rule: self == oldSelf storageOperatorCloudCreds: description: StorageOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for storage @@ -33020,6 +33337,9 @@ objects: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: storageOperatorCloudCreds is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for control plane cloud resources. This field is immutable. Once set, It @@ -33032,6 +33352,9 @@ objects: description: Name of resource type: string type: object + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf vpc: description: VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control plane. This field is immutable. @@ -33042,30 +33365,50 @@ objects: load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf region: description: Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic into the OCP cluster. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: region is immutable + rule: self == oldSelf subnet: description: Subnet is the subnet to use for load balancer. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf zone: description: Zone is the availability zone where load balancer cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - name - region type: object + x-kubernetes-validations: + - message: zone is required once set + rule: '!has(oldSelf.zone) || has(self.zone)' + - message: subnet is required once set + rule: '!has(oldSelf.subnet) || has(self.subnet)' zone: description: Zone is the availability zone where control plane cloud resources are created. This field is immutable. Once set, It can't be changed. type: string + x-kubernetes-validations: + - message: zone is immutable + rule: self == oldSelf required: - accountID - cisInstanceCRN @@ -33092,9 +33435,17 @@ objects: - Azure - PowerVS type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object + x-kubernetes-validations: + - message: agent is required once set + rule: '!has(oldSelf.agent) || has(self.agent)' + - message: powervs is required once set + rule: '!has(oldSelf.powervs) || has(self.powervs)' pullSecret: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. @@ -33276,6 +33627,7 @@ objects: url: description: URL is the url to call key protect apis over + format: uri pattern: ^https:// type: string required: @@ -33335,8 +33687,8 @@ objects: of a control plane. properties: service: - description: Service identifies the type of service being - published. + description: "Service identifies the type of service being + published. \n Set as immutable on the ServiceType declaration" enum: - APIServer - OAuthServer @@ -33345,6 +33697,9 @@ objects: - Ignition - OVNSbDb type: string + x-kubernetes-validations: + - message: service is immutable + rule: self == oldSelf servicePublishingStrategy: description: ServicePublishingStrategy specifies how to publish Service. @@ -33385,14 +33740,18 @@ objects: type: string type: object type: - description: Type is the publishing strategy used for - the service. + description: "Type is the publishing strategy used for + the service. \n Set as immutable on the PublishingStrategyType + declaration" enum: - LoadBalancer - NodePort - Route - None type: string + x-kubernetes-validations: + - message: type is immutable + rule: self == oldSelf required: - type type: object