diff --git a/config/applyconfigurations/internal/internal.go b/config/applyconfigurations/internal/internal.go
index ba8ba86cf..44304442d 100644
--- a/config/applyconfigurations/internal/internal.go
+++ b/config/applyconfigurations/internal/internal.go
@@ -562,15 +562,45 @@ var schemaYAML = typed.YAMLObject(`types:
namedType: com.github.openshift.api.config.v1.BuildOverrides
default: {}
- name: com.github.openshift.api.config.v1.CRIOCredentialProviderConfig
- scalar: untyped
- list:
- elementType:
- namedType: __untyped_atomic_
- elementRelationship: atomic
map:
- elementType:
- namedType: __untyped_deduced_
- elementRelationship: separable
+ fields:
+ - name: apiVersion
+ type:
+ scalar: string
+ - name: kind
+ type:
+ scalar: string
+ - name: metadata
+ type:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ default: {}
+ - name: spec
+ type:
+ namedType: com.github.openshift.api.config.v1.CRIOCredentialProviderConfigSpec
+ - name: status
+ type:
+ namedType: com.github.openshift.api.config.v1.CRIOCredentialProviderConfigStatus
+ default: {}
+- name: com.github.openshift.api.config.v1.CRIOCredentialProviderConfigSpec
+ map:
+ fields:
+ - name: matchImages
+ type:
+ list:
+ elementType:
+ scalar: string
+ elementRelationship: associative
+- name: com.github.openshift.api.config.v1.CRIOCredentialProviderConfigStatus
+ map:
+ fields:
+ - name: conditions
+ type:
+ list:
+ elementType:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+ elementRelationship: associative
+ keys:
+ - type
- name: com.github.openshift.api.config.v1.ClientCredentialConfig
map:
fields:
diff --git a/go.mod b/go.mod
index 4c6347c35..9d64be614 100644
--- a/go.mod
+++ b/go.mod
@@ -2,6 +2,8 @@ module github.com/openshift/client-go
go 1.25.0
+replace github.com/openshift/api => github.com/bhperry/openshift-api v0.0.0-20260709150816-69d6f1b49426
+
require (
github.com/openshift/api v0.0.0-20260702202555-ef71f942ef6c
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
diff --git a/go.sum b/go.sum
index 8feb2dca0..8de004ea5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/bhperry/openshift-api v0.0.0-20260709150816-69d6f1b49426 h1:zahkrQj9Jei8+t9yXabDHc75Ha+Holy3kQsdcKXv+oY=
+github.com/bhperry/openshift-api v0.0.0-20260709150816-69d6f1b49426/go.mod h1:7WJ3IPaK6nmWT8bDcaNooHqd0H5WepjVqV/10VlkMEM=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -71,8 +73,6 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/openshift/api v0.0.0-20260702202555-ef71f942ef6c h1:X1B6zMjD7kmKcuv9Cxs4Zhq/ruJLt7BsywSWKOA9Jn4=
-github.com/openshift/api v0.0.0-20260702202555-ef71f942ef6c/go.mod h1:7WJ3IPaK6nmWT8bDcaNooHqd0H5WepjVqV/10VlkMEM=
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
diff --git a/operator/applyconfigurations/internal/internal.go b/operator/applyconfigurations/internal/internal.go
index a7f34e264..23045cd7a 100644
--- a/operator/applyconfigurations/internal/internal.go
+++ b/operator/applyconfigurations/internal/internal.go
@@ -222,6 +222,9 @@ var schemaYAML = typed.YAMLObject(`types:
elementType:
scalar: string
elementRelationship: atomic
+ - name: protocol
+ type:
+ scalar: string
- name: subnets
type:
namedType: com.github.openshift.api.operator.v1.AWSSubnets
@@ -322,6 +325,31 @@ var schemaYAML = typed.YAMLObject(`types:
type:
namedType: com.github.openshift.api.operator.v1.AuthenticationStatus
default: {}
+- name: com.github.openshift.api.operator.v1.AuthenticationConfigMapReference
+ map:
+ fields:
+ - name: name
+ type:
+ scalar: string
+- name: com.github.openshift.api.operator.v1.AuthenticationProxyConfig
+ map:
+ fields:
+ - name: httpProxy
+ type:
+ scalar: string
+ - name: httpsProxy
+ type:
+ scalar: string
+ - name: noProxy
+ type:
+ list:
+ elementType:
+ scalar: string
+ elementRelationship: associative
+ - name: trustedCA
+ type:
+ namedType: com.github.openshift.api.operator.v1.AuthenticationConfigMapReference
+ default: {}
- name: com.github.openshift.api.operator.v1.AuthenticationSpec
map:
fields:
@@ -338,6 +366,10 @@ var schemaYAML = typed.YAMLObject(`types:
- name: operatorLogLevel
type:
scalar: string
+ - name: proxy
+ type:
+ namedType: com.github.openshift.api.operator.v1.AuthenticationProxyConfig
+ default: {}
- name: unsupportedConfigOverrides
type:
namedType: __untyped_atomic_
@@ -466,6 +498,10 @@ var schemaYAML = typed.YAMLObject(`types:
- name: ibmcloud
type:
namedType: com.github.openshift.api.operator.v1.IBMCloudCSIDriverConfigSpec
+ - name: secretsStore
+ type:
+ namedType: com.github.openshift.api.operator.v1.SecretsStoreCSIDriverConfigSpec
+ default: {}
- name: vSphere
type:
namedType: com.github.openshift.api.operator.v1.VSphereCSIDriverConfigSpec
@@ -480,6 +516,8 @@ var schemaYAML = typed.YAMLObject(`types:
discriminatorValue: GCP
- fieldName: ibmcloud
discriminatorValue: IBMCloud
+ - fieldName: secretsStore
+ discriminatorValue: SecretsStore
- fieldName: vSphere
discriminatorValue: VSphere
- name: com.github.openshift.api.operator.v1.CSISnapshotController
@@ -1054,6 +1092,12 @@ var schemaYAML = typed.YAMLObject(`types:
- name: maxLength
type:
scalar: numeric
+- name: com.github.openshift.api.operator.v1.CustomSecretRotation
+ map:
+ fields:
+ - name: rotationPollIntervalSeconds
+ type:
+ scalar: numeric
- name: com.github.openshift.api.operator.v1.DNS
map:
fields:
@@ -2751,6 +2795,17 @@ var schemaYAML = typed.YAMLObject(`types:
keys:
- resource
- apiGroup
+- name: com.github.openshift.api.operator.v1.ManagedTokenRequests
+ map:
+ fields:
+ - name: audiences
+ type:
+ list:
+ elementType:
+ namedType: com.github.openshift.api.operator.v1.SecretsStoreTokenRequest
+ elementRelationship: associative
+ keys:
+ - audience
- name: com.github.openshift.api.operator.v1.NetFlowConfig
map:
fields:
@@ -3120,6 +3175,9 @@ var schemaYAML = typed.YAMLObject(`types:
type:
scalar: string
default: ""
+ - name: nodeUID
+ type:
+ scalar: string
- name: targetRevision
type:
scalar: numeric
@@ -3649,6 +3707,56 @@ var schemaYAML = typed.YAMLObject(`types:
elementType:
scalar: string
elementRelationship: atomic
+- name: com.github.openshift.api.operator.v1.SecretsStoreCSIDriverConfigSpec
+ map:
+ fields:
+ - name: secretRotation
+ type:
+ namedType: com.github.openshift.api.operator.v1.SecretsStoreSecretRotation
+ default: {}
+ - name: tokenRequests
+ type:
+ namedType: com.github.openshift.api.operator.v1.SecretsStoreTokenRequests
+ default: {}
+- name: com.github.openshift.api.operator.v1.SecretsStoreSecretRotation
+ map:
+ fields:
+ - name: custom
+ type:
+ namedType: com.github.openshift.api.operator.v1.CustomSecretRotation
+ default: {}
+ - name: type
+ type:
+ scalar: string
+ unions:
+ - discriminator: type
+ fields:
+ - fieldName: custom
+ discriminatorValue: Custom
+- name: com.github.openshift.api.operator.v1.SecretsStoreTokenRequest
+ map:
+ fields:
+ - name: audience
+ type:
+ scalar: string
+ - name: expirationSeconds
+ type:
+ scalar: numeric
+- name: com.github.openshift.api.operator.v1.SecretsStoreTokenRequests
+ map:
+ fields:
+ - name: managed
+ type:
+ namedType: com.github.openshift.api.operator.v1.ManagedTokenRequests
+ default: {}
+ - name: type
+ type:
+ scalar: string
+ unions:
+ - discriminator: type
+ fields:
+ - fieldName: managed
+ discriminatorValue: Managed
- name: com.github.openshift.api.operator.v1.Server
map:
fields:
diff --git a/operator/applyconfigurations/operator/v1/authenticationconfigmapreference.go b/operator/applyconfigurations/operator/v1/authenticationconfigmapreference.go
new file mode 100644
index 000000000..074390664
--- /dev/null
+++ b/operator/applyconfigurations/operator/v1/authenticationconfigmapreference.go
@@ -0,0 +1,30 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// AuthenticationConfigMapReferenceApplyConfiguration represents a declarative configuration of the AuthenticationConfigMapReference type for use
+// with apply.
+//
+// AuthenticationConfigMapReference references a ConfigMap in the
+// openshift-config namespace.
+type AuthenticationConfigMapReferenceApplyConfiguration struct {
+ // name is the metadata.name of the referenced ConfigMap.
+ // Must be a valid DNS subdomain name (RFC 1123): at most 253
+ // characters, only lowercase alphanumeric characters, '-' or
+ // '.', starting and ending with an alphanumeric character.
+ Name *string `json:"name,omitempty"`
+}
+
+// AuthenticationConfigMapReferenceApplyConfiguration constructs a declarative configuration of the AuthenticationConfigMapReference type for use with
+// apply.
+func AuthenticationConfigMapReference() *AuthenticationConfigMapReferenceApplyConfiguration {
+ return &AuthenticationConfigMapReferenceApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *AuthenticationConfigMapReferenceApplyConfiguration) WithName(value string) *AuthenticationConfigMapReferenceApplyConfiguration {
+ b.Name = &value
+ return b
+}
diff --git a/operator/applyconfigurations/operator/v1/authenticationproxyconfig.go b/operator/applyconfigurations/operator/v1/authenticationproxyconfig.go
new file mode 100644
index 000000000..8b5e29144
--- /dev/null
+++ b/operator/applyconfigurations/operator/v1/authenticationproxyconfig.go
@@ -0,0 +1,79 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// AuthenticationProxyConfigApplyConfiguration represents a declarative configuration of the AuthenticationProxyConfig type for use
+// with apply.
+//
+// AuthenticationProxyConfig holds proxy configuration scoped to
+// authentication components (the OAuth server and the cluster
+// authentication operator).
+type AuthenticationProxyConfigApplyConfiguration struct {
+ // httpProxy is the URL of the proxy for HTTP requests.
+ // Must be a valid URL with http or https scheme, a non-empty
+ // hostname, and no path, query parameters, or fragment.
+ // Userinfo (e.g. user:password@host) is allowed for proxy
+ // authentication. Maximum length is 2048 characters.
+ HTTPProxy *string `json:"httpProxy,omitempty"`
+ // httpsProxy is the URL of the proxy for HTTPS requests.
+ // Must be a valid URL with http or https scheme, a non-empty
+ // hostname, and no path, query parameters, or fragment.
+ // Userinfo (e.g. user:password@host) is allowed for proxy
+ // authentication. Maximum length is 2048 characters.
+ HTTPSProxy *string `json:"httpsProxy,omitempty"`
+ // noProxy is a list of hostnames and/or CIDRs and/or IPs for which
+ // the proxy should not be used. Must contain at least one entry
+ // when set. Each entry must be between 1 and 253 characters long
+ // and at most 64 entries are allowed. Duplicate
+ // entries are not permitted. Entries that are not valid hostnames,
+ // CIDRs, or IPs are silently ignored. Cluster-internal defaults
+ // (.cluster.local, .svc, 127.0.0.1, localhost) are always appended
+ // automatically and do not need to be included.
+ NoProxy []string `json:"noProxy,omitempty"`
+ // trustedCA is a reference to a ConfigMap in the openshift-config
+ // namespace containing a CA certificate bundle under the key
+ // "ca-bundle.crt". This bundle is appended to the system trust store
+ // used by authentication components for proxy TLS connections.
+ // When omitted, only the system trust store is used.
+ TrustedCA *AuthenticationConfigMapReferenceApplyConfiguration `json:"trustedCA,omitempty"`
+}
+
+// AuthenticationProxyConfigApplyConfiguration constructs a declarative configuration of the AuthenticationProxyConfig type for use with
+// apply.
+func AuthenticationProxyConfig() *AuthenticationProxyConfigApplyConfiguration {
+ return &AuthenticationProxyConfigApplyConfiguration{}
+}
+
+// WithHTTPProxy sets the HTTPProxy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the HTTPProxy field is set to the value of the last call.
+func (b *AuthenticationProxyConfigApplyConfiguration) WithHTTPProxy(value string) *AuthenticationProxyConfigApplyConfiguration {
+ b.HTTPProxy = &value
+ return b
+}
+
+// WithHTTPSProxy sets the HTTPSProxy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the HTTPSProxy field is set to the value of the last call.
+func (b *AuthenticationProxyConfigApplyConfiguration) WithHTTPSProxy(value string) *AuthenticationProxyConfigApplyConfiguration {
+ b.HTTPSProxy = &value
+ return b
+}
+
+// WithNoProxy adds the given value to the NoProxy field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the NoProxy field.
+func (b *AuthenticationProxyConfigApplyConfiguration) WithNoProxy(values ...string) *AuthenticationProxyConfigApplyConfiguration {
+ for i := range values {
+ b.NoProxy = append(b.NoProxy, values[i])
+ }
+ return b
+}
+
+// WithTrustedCA sets the TrustedCA field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TrustedCA field is set to the value of the last call.
+func (b *AuthenticationProxyConfigApplyConfiguration) WithTrustedCA(value *AuthenticationConfigMapReferenceApplyConfiguration) *AuthenticationProxyConfigApplyConfiguration {
+ b.TrustedCA = value
+ return b
+}
diff --git a/operator/applyconfigurations/operator/v1/authenticationspec.go b/operator/applyconfigurations/operator/v1/authenticationspec.go
index ac90816bc..4d2fb8c7c 100644
--- a/operator/applyconfigurations/operator/v1/authenticationspec.go
+++ b/operator/applyconfigurations/operator/v1/authenticationspec.go
@@ -11,6 +11,14 @@ import (
// with apply.
type AuthenticationSpecApplyConfiguration struct {
OperatorSpecApplyConfiguration `json:",inline"`
+ // proxy configures proxy settings for outbound connections made
+ // by the authentication stack. When set, it replaces the
+ // cluster-wide proxy (proxy.config.openshift.io/cluster)
+ // entirely for authentication — individual fields are not
+ // inherited from the cluster-wide configuration. When omitted,
+ // the cluster-wide proxy is used if configured; otherwise no
+ // proxy is used.
+ Proxy *AuthenticationProxyConfigApplyConfiguration `json:"proxy,omitempty"`
}
// AuthenticationSpecApplyConfiguration constructs a declarative configuration of the AuthenticationSpec type for use with
@@ -58,3 +66,11 @@ func (b *AuthenticationSpecApplyConfiguration) WithObservedConfig(value runtime.
b.OperatorSpecApplyConfiguration.ObservedConfig = &value
return b
}
+
+// WithProxy sets the Proxy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Proxy field is set to the value of the last call.
+func (b *AuthenticationSpecApplyConfiguration) WithProxy(value *AuthenticationProxyConfigApplyConfiguration) *AuthenticationSpecApplyConfiguration {
+ b.Proxy = value
+ return b
+}
diff --git a/operator/applyconfigurations/operator/v1/customsecretrotation.go b/operator/applyconfigurations/operator/v1/customsecretrotation.go
index 1dd976a86..189d31ad7 100644
--- a/operator/applyconfigurations/operator/v1/customsecretrotation.go
+++ b/operator/applyconfigurations/operator/v1/customsecretrotation.go
@@ -7,13 +7,17 @@ package v1
//
// CustomSecretRotation holds configuration for custom secret rotation behavior.
type CustomSecretRotationApplyConfiguration struct {
- // rotationPollIntervalSeconds is the minimum time in seconds between secret
- // rotation attempts. The driver skips provider calls if less than this interval
- // has elapsed since the last successful rotation.
+ // minimumRefreshAge is the minimum time in seconds between secret
+ // rotation attempts. Each time kubelet calls NodePublishVolume, the driver
+ // checks whether this interval has elapsed since the last successful provider
+ // call. If it has, the driver contacts the secret provider to fetch the latest
+ // secret values and updates the mounted volume.
+ // Setting this value below the kubelet syncFrequency (default: 1 minute)
+ // has no additional effect on the actual rotation cadence.
// Must be at least 1 second and no more than 31560000 seconds (~1 year).
// When omitted, this means no opinion and the platform is left to choose a
// reasonable default, which is subject to change over time.
- RotationPollIntervalSeconds *int32 `json:"rotationPollIntervalSeconds,omitempty"`
+ MinimumRefreshAge *int32 `json:"minimumRefreshAge,omitempty"`
}
// CustomSecretRotationApplyConfiguration constructs a declarative configuration of the CustomSecretRotation type for use with
@@ -22,10 +26,10 @@ func CustomSecretRotation() *CustomSecretRotationApplyConfiguration {
return &CustomSecretRotationApplyConfiguration{}
}
-// WithRotationPollIntervalSeconds sets the RotationPollIntervalSeconds field in the declarative configuration to the given value
+// WithMinimumRefreshAge sets the MinimumRefreshAge field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the RotationPollIntervalSeconds field is set to the value of the last call.
-func (b *CustomSecretRotationApplyConfiguration) WithRotationPollIntervalSeconds(value int32) *CustomSecretRotationApplyConfiguration {
- b.RotationPollIntervalSeconds = &value
+// If called multiple times, the MinimumRefreshAge field is set to the value of the last call.
+func (b *CustomSecretRotationApplyConfiguration) WithMinimumRefreshAge(value int32) *CustomSecretRotationApplyConfiguration {
+ b.MinimumRefreshAge = &value
return b
}
diff --git a/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go b/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go
index 9874c3b63..b6337158c 100644
--- a/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go
+++ b/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go
@@ -285,6 +285,27 @@ type IngressControllerSpecApplyConfiguration struct {
// - Using RSA keys larger than 2048 bits can significantly slow down
// TLS computations. Consider using the "Abort" policy to reduce CPU usage.
ClosedClientConnectionPolicy *operatorv1.IngressControllerClosedClientConnectionPolicy `json:"closedClientConnectionPolicy,omitempty"`
+ // haproxyVersion specifies the HAProxy version to use for this
+ // IngressController.
+ //
+ // OpenShift 5.0 introduces HAProxy 3.2 as its default version and supports
+ // HAProxy 2.8 from OpenShift 4.22 for migration purposes. When an OpenShift
+ // release introduces a new default HAProxy version, that HAProxy version
+ // becomes available as a pinnable value in subsequent OpenShift releases,
+ // providing a smooth migration path for administrators who want to defer
+ // HAProxy upgrades.
+ //
+ // Valid values for OpenShift 5.0:
+ // - Unset (default): Uses HAProxy 3.2 (the default for OpenShift 5.0)
+ // - "3.2": Explicitly pins HAProxy 3.2 for preservation during cluster
+ // upgrades to future OpenShift releases
+ // - "2.8": Uses HAProxy 2.8 from OpenShift 4.22 (migration support, will
+ // be dropped in the next OpenShift release)
+ //
+ // If a specific HAProxy version is set and would become unsupported in a
+ // target cluster upgrade, a preflight check will block the cluster upgrade
+ // until this field is updated to unset or a supported version.
+ HAProxyVersion *operatorv1.HAProxyVersion `json:"haproxyVersion,omitempty"`
}
// IngressControllerSpecApplyConfiguration constructs a declarative configuration of the IngressControllerSpec type for use with
@@ -444,3 +465,11 @@ func (b *IngressControllerSpecApplyConfiguration) WithClosedClientConnectionPoli
b.ClosedClientConnectionPolicy = &value
return b
}
+
+// WithHAProxyVersion sets the HAProxyVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the HAProxyVersion field is set to the value of the last call.
+func (b *IngressControllerSpecApplyConfiguration) WithHAProxyVersion(value operatorv1.HAProxyVersion) *IngressControllerSpecApplyConfiguration {
+ b.HAProxyVersion = &value
+ return b
+}
diff --git a/operator/applyconfigurations/operator/v1/ingresscontrollerstatus.go b/operator/applyconfigurations/operator/v1/ingresscontrollerstatus.go
index d42313f04..169f158b6 100644
--- a/operator/applyconfigurations/operator/v1/ingresscontrollerstatus.go
+++ b/operator/applyconfigurations/operator/v1/ingresscontrollerstatus.go
@@ -4,6 +4,7 @@ package v1
import (
configv1 "github.com/openshift/api/config/v1"
+ operatorv1 "github.com/openshift/api/operator/v1"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
@@ -64,6 +65,15 @@ type IngressControllerStatusApplyConfiguration struct {
NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
// routeSelector is the actual routeSelector in use.
RouteSelector *metav1.LabelSelectorApplyConfiguration `json:"routeSelector,omitempty"`
+ // effectiveHAProxyVersion reports the HAProxy version currently in use by
+ // this IngressController. This reflects the resolved value of the
+ // spec.haproxyVersion field. When omitted, the effective value has not yet
+ // been resolved by the operator or the feature is not enabled for this cluster.
+ //
+ // Examples for OpenShift 5.0:
+ // - "3.2": Using HAProxy 3.2
+ // - "2.8": Using HAProxy 2.8
+ EffectiveHAProxyVersion *operatorv1.HAProxyVersion `json:"effectiveHAProxyVersion,omitempty"`
}
// IngressControllerStatusApplyConfiguration constructs a declarative configuration of the IngressControllerStatus type for use with
@@ -148,3 +158,11 @@ func (b *IngressControllerStatusApplyConfiguration) WithRouteSelector(value *met
b.RouteSelector = value
return b
}
+
+// WithEffectiveHAProxyVersion sets the EffectiveHAProxyVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the EffectiveHAProxyVersion field is set to the value of the last call.
+func (b *IngressControllerStatusApplyConfiguration) WithEffectiveHAProxyVersion(value operatorv1.HAProxyVersion) *IngressControllerStatusApplyConfiguration {
+ b.EffectiveHAProxyVersion = &value
+ return b
+}
diff --git a/operator/applyconfigurations/operator/v1/nodestatus.go b/operator/applyconfigurations/operator/v1/nodestatus.go
index f107c370d..f39bba5af 100644
--- a/operator/applyconfigurations/operator/v1/nodestatus.go
+++ b/operator/applyconfigurations/operator/v1/nodestatus.go
@@ -4,6 +4,7 @@ package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
)
// NodeStatusApplyConfiguration represents a declarative configuration of the NodeStatus type for use
@@ -13,6 +14,13 @@ import (
type NodeStatusApplyConfiguration struct {
// nodeName is the name of the node
NodeName *string `json:"nodeName,omitempty"`
+ // nodeUID is the UID of the node.
+ // This field is used to detect that a node has been deleted and recreated
+ // with the same name. When the UID changes, it indicates the node is a
+ // new instance and the controller should treat this status entry as stale.
+ // When omitted, UID-based node replacement detection is not available
+ // for this entry.
+ NodeUID *types.UID `json:"nodeUID,omitempty"`
// currentRevision is the generation of the most recently successful deployment.
// Can not be set on creation of a nodeStatus. Updates must only increase the value.
CurrentRevision *int32 `json:"currentRevision,omitempty"`
@@ -47,6 +55,14 @@ func (b *NodeStatusApplyConfiguration) WithNodeName(value string) *NodeStatusApp
return b
}
+// WithNodeUID sets the NodeUID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NodeUID field is set to the value of the last call.
+func (b *NodeStatusApplyConfiguration) WithNodeUID(value types.UID) *NodeStatusApplyConfiguration {
+ b.NodeUID = &value
+ return b
+}
+
// WithCurrentRevision sets the CurrentRevision field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CurrentRevision field is set to the value of the last call.
diff --git a/operator/applyconfigurations/utils.go b/operator/applyconfigurations/utils.go
index cd03dd84d..bd16457a7 100644
--- a/operator/applyconfigurations/utils.go
+++ b/operator/applyconfigurations/utils.go
@@ -28,6 +28,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &operatorv1.AddPageApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Authentication"):
return &operatorv1.AuthenticationApplyConfiguration{}
+ case v1.SchemeGroupVersion.WithKind("AuthenticationConfigMapReference"):
+ return &operatorv1.AuthenticationConfigMapReferenceApplyConfiguration{}
+ case v1.SchemeGroupVersion.WithKind("AuthenticationProxyConfig"):
+ return &operatorv1.AuthenticationProxyConfigApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("AuthenticationSpec"):
return &operatorv1.AuthenticationSpecApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("AuthenticationStatus"):
diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md
index 43c2d694b..9f8357fec 100644
--- a/vendor/github.com/openshift/api/features.md
+++ b/vendor/github.com/openshift/api/features.md
@@ -12,12 +12,12 @@
| ShortCertRotation| | | | | | | | |
| KarpenterOperator| | | | Enabled | | | | |
| MutableTopology| | | | Enabled | | | | |
+| AuthenticationComponentProxy| | | | Enabled | | | | Enabled |
| ClusterAPIComputeInstall| | | Enabled | Enabled | | | | |
| ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | |
| ClusterUpdatePreflight| | | Enabled | Enabled | | | | |
| ConfidentialCluster| | | Enabled | Enabled | | | | |
| Example2| | | Enabled | Enabled | | | | |
-| ExternalOIDCExternalClaimsSourcing| | | Enabled | Enabled | | | | |
| MachineAPIMigrationVSphere| | | Enabled | Enabled | | | | |
| NetworkConnect| | | Enabled | Enabled | | | | |
| NewOLMBoxCutterRuntime| | | | Enabled | | | | Enabled |
@@ -59,6 +59,7 @@
| DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled |
| EtcdBackendQuota| | | Enabled | Enabled | | | Enabled | Enabled |
| Example| | | Enabled | Enabled | | | Enabled | Enabled |
+| ExternalOIDCExternalClaimsSourcing| | | Enabled | Enabled | | | Enabled | Enabled |
| ExternalOIDCWithUpstreamParity| | | Enabled | Enabled | | | Enabled | Enabled |
| ExternalSnapshotMetadata| | | Enabled | Enabled | | | Enabled | Enabled |
| GCPCustomAPIEndpoints| | | Enabled | Enabled | | | Enabled | Enabled |
diff --git a/vendor/github.com/openshift/api/openapi/openapi.json b/vendor/github.com/openshift/api/openapi/openapi.json
index ba5b0ebd8..36bd7a342 100644
--- a/vendor/github.com/openshift/api/openapi/openapi.json
+++ b/vendor/github.com/openshift/api/openapi/openapi.json
@@ -5271,6 +5271,100 @@
}
}
},
+ "com.github.openshift.api.config.v1.CRIOCredentialProviderConfig": {
+ "description": "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+ "type": "object",
+ "required": [
+ "spec"
+ ],
+ "properties": {
+ "apiVersion": {
+ "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ "type": "string"
+ },
+ "kind": {
+ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ "type": "string"
+ },
+ "metadata": {
+ "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+ },
+ "spec": {
+ "description": "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.CRIOCredentialProviderConfigSpec"
+ },
+ "status": {
+ "description": "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.CRIOCredentialProviderConfigStatus"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1.CRIOCredentialProviderConfigList": {
+ "description": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+ "type": "object",
+ "required": [
+ "metadata",
+ "items"
+ ],
+ "properties": {
+ "apiVersion": {
+ "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ "type": "string"
+ },
+ "items": {
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.CRIOCredentialProviderConfig"
+ }
+ },
+ "kind": {
+ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ "type": "string"
+ },
+ "metadata": {
+ "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1.CRIOCredentialProviderConfigSpec": {
+ "description": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+ "type": "object",
+ "properties": {
+ "matchImages": {
+ "description": "matchImages is a list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is optional, the items of the list must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "default": ""
+ },
+ "x-kubernetes-list-type": "set"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1.CRIOCredentialProviderConfigStatus": {
+ "description": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+ "type": "object",
+ "properties": {
+ "conditions": {
+ "description": "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+ },
+ "x-kubernetes-list-map-keys": [
+ "type"
+ ],
+ "x-kubernetes-list-type": "map"
+ }
+ }
+ },
"com.github.openshift.api.config.v1.CertInfo": {
"description": "CertInfo relates a certificate with a private key",
"type": "object",
@@ -8418,7 +8512,7 @@
"$ref": "#/definitions/com.github.openshift.api.config.v1.ConfigMapFileReference"
},
"controlPlaneTopology": {
- "description": "controlPlaneTopology expresses the desired topology configuration for control nodes. The 'HighlyAvailable' mode represents a \"normal\", 3 control node cluster. The 'SingleReplica' mode represents configuration where there is a single control node. If left blank, no change is required and no transitions will be triggered.",
+ "description": "controlPlaneTopology expresses the desired topology configuration for control nodes.\n\nWhen status.controlPlaneTopology is 'SingleReplica' and spec.controlPlaneTopology is set to 'HighlyAvailable', a transition will be triggered to reconfigure the cluster from SingleReplica to HighlyAvailable.\n\nWhen left blank or status.controlPlaneTopology and spec.controlPlaneTopology are the same value, no changes are required and no transitions will be triggered.\n\nThis value may be set to match status.controlPlaneTopology regardless of the current value.",
"type": "string"
},
"platformSpec": {
@@ -30493,6 +30587,14 @@
},
"x-kubernetes-list-type": "atomic"
},
+ "protocol": {
+ "description": "protocol specifies whether the Network Load Balancer uses PROXY protocol to forward connections to the IngressController.\n\nWhen set to \"TCP\", the NLB uses AWS's native client IP preservation. This may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.\n\nWhen set to \"PROXY\", the NLB disables native client IP preservation and uses PROXY protocol v2. The IngressController enables PROXY protocol on HAProxy so that it can parse PROXY protocol headers to obtain the original client IP. This avoids hairpin connection failures.\n\nThe following values are valid for this field:\n\n* \"TCP\". * \"PROXY\".\n\nWhen omitted, this means the user has no opinion and the value is left to the platform to choose a reasonable default, which is subject to change over time. The current default is \"PROXY\".\n\nNote that changing this field may cause brief connection failures during the transition as the NLB attribute change and router rollout occur independently.\n\n\nPossible enum values:\n - `\"PROXY\"` instructs the NLB to forward connections using PROXY protocol v2.\n - `\"TCP\"` instructs the NLB to forward connections using TCP without PROXY protocol.",
+ "type": "string",
+ "enum": [
+ "PROXY",
+ "TCP"
+ ]
+ },
"subnets": {
"description": "subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10.\n\nIn order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values.\n\nWhen omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object.",
"$ref": "#/definitions/com.github.openshift.api.operator.v1.AWSSubnets"
@@ -30653,6 +30755,19 @@
}
}
},
+ "com.github.openshift.api.operator.v1.AuthenticationConfigMapReference": {
+ "description": "AuthenticationConfigMapReference references a ConfigMap in the openshift-config namespace.",
+ "type": "object",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "description": "name is the metadata.name of the referenced ConfigMap. Must be a valid DNS subdomain name (RFC 1123): at most 253 characters, only lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character.",
+ "type": "string"
+ }
+ }
+ },
"com.github.openshift.api.operator.v1.AuthenticationList": {
"description": "AuthenticationList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"type": "object",
@@ -30683,6 +30798,34 @@
}
}
},
+ "com.github.openshift.api.operator.v1.AuthenticationProxyConfig": {
+ "description": "AuthenticationProxyConfig holds proxy configuration scoped to authentication components (the OAuth server and the cluster authentication operator).",
+ "type": "object",
+ "properties": {
+ "httpProxy": {
+ "description": "httpProxy is the URL of the proxy for HTTP requests. Must be a valid URL with http or https scheme, a non-empty hostname, and no path, query parameters, or fragment. Userinfo (e.g. user:password@host) is allowed for proxy authentication. Maximum length is 2048 characters.",
+ "type": "string"
+ },
+ "httpsProxy": {
+ "description": "httpsProxy is the URL of the proxy for HTTPS requests. Must be a valid URL with http or https scheme, a non-empty hostname, and no path, query parameters, or fragment. Userinfo (e.g. user:password@host) is allowed for proxy authentication. Maximum length is 2048 characters.",
+ "type": "string"
+ },
+ "noProxy": {
+ "description": "noProxy is a list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. Must contain at least one entry when set. Each entry must be between 1 and 253 characters long and at most 64 entries are allowed. Duplicate entries are not permitted. Entries that are not valid hostnames, CIDRs, or IPs are silently ignored. Cluster-internal defaults (.cluster.local, .svc, 127.0.0.1, localhost) are always appended automatically and do not need to be included.",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "default": ""
+ },
+ "x-kubernetes-list-type": "set"
+ },
+ "trustedCA": {
+ "description": "trustedCA is a reference to a ConfigMap in the openshift-config namespace containing a CA certificate bundle under the key \"ca-bundle.crt\". This bundle is appended to the system trust store used by authentication components for proxy TLS connections. When omitted, only the system trust store is used.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.AuthenticationConfigMapReference"
+ }
+ }
+ },
"com.github.openshift.api.operator.v1.AuthenticationSpec": {
"type": "object",
"required": [
@@ -30706,6 +30849,11 @@
"description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".",
"type": "string"
},
+ "proxy": {
+ "description": "proxy configures proxy settings for outbound connections made by the authentication stack. When set, it replaces the cluster-wide proxy (proxy.config.openshift.io/cluster) entirely for authentication — individual fields are not inherited from the cluster-wide configuration. When omitted, the cluster-wide proxy is used if configured; otherwise no proxy is used.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.AuthenticationProxyConfig"
+ },
"unsupportedConfigOverrides": {
"description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.",
"$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"
@@ -30898,7 +31046,7 @@
"$ref": "#/definitions/com.github.openshift.api.operator.v1.AzureCSIDriverConfigSpec"
},
"driverType": {
- "description": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. Consumers should treat unknown values as a NO-OP.",
+ "description": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP.",
"type": "string",
"default": ""
},
@@ -30910,6 +31058,11 @@
"description": "ibmcloud is used to configure the IBM Cloud CSI driver.",
"$ref": "#/definitions/com.github.openshift.api.operator.v1.IBMCloudCSIDriverConfigSpec"
},
+ "secretsStore": {
+ "description": "secretsStore is used to configure the Secrets Store CSI driver.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.SecretsStoreCSIDriverConfigSpec"
+ },
"vSphere": {
"description": "vSphere is used to configure the vsphere CSI driver.",
"$ref": "#/definitions/com.github.openshift.api.operator.v1.VSphereCSIDriverConfigSpec"
@@ -30923,6 +31076,7 @@
"azure": "Azure",
"gcp": "GCP",
"ibmcloud": "IBMCloud",
+ "secretsStore": "SecretsStore",
"vSphere": "VSphere"
}
}
@@ -31958,6 +32112,17 @@
}
}
},
+ "com.github.openshift.api.operator.v1.CustomSecretRotation": {
+ "description": "CustomSecretRotation holds configuration for custom secret rotation behavior.",
+ "type": "object",
+ "properties": {
+ "rotationPollIntervalSeconds": {
+ "description": "rotationPollIntervalSeconds is the minimum time in seconds between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Must be at least 1 second and no more than 31560000 seconds (~1 year). When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+ "type": "integer",
+ "format": "int32"
+ }
+ }
+ },
"com.github.openshift.api.operator.v1.DNS": {
"description": "DNS manages the CoreDNS component to provide a name resolution service for pods and services in the cluster.\n\nThis supports the DNS-based service discovery specification: https://github.com/kubernetes/dns/blob/master/docs/specification.md\n\nMore details: https://kubernetes.io/docs/tasks/administer-cluster/coredns\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"type": "object",
@@ -34903,6 +35068,24 @@
}
}
},
+ "com.github.openshift.api.operator.v1.ManagedTokenRequests": {
+ "description": "ManagedTokenRequests holds the configuration for operator-managed service account token requests.",
+ "type": "object",
+ "properties": {
+ "audiences": {
+ "description": "audiences specifies service account token audiences that kubelet will provide to the CSI driver during NodePublishVolume calls. These tokens enable workload identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. When empty, the operator clears all tokenRequests from the CSIDriver object.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.SecretsStoreTokenRequest"
+ },
+ "x-kubernetes-list-map-keys": [
+ "audience"
+ ],
+ "x-kubernetes-list-type": "map"
+ }
+ }
+ },
"com.github.openshift.api.operator.v1.MyOperatorResource": {
"description": "MyOperatorResource is an example operator configuration type\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
@@ -35630,6 +35813,10 @@
"type": "string",
"default": ""
},
+ "nodeUID": {
+ "description": "nodeUID is the UID of the node. This field is used to detect that a node has been deleted and recreated with the same name. When the UID changes, it indicates the node is a new instance and the status should be reset.",
+ "type": "string"
+ },
"targetRevision": {
"description": "targetRevision is the generation of the deployment we're trying to apply. Can not be set on creation of a nodeStatus.",
"type": "integer",
@@ -36622,6 +36809,92 @@
}
}
},
+ "com.github.openshift.api.operator.v1.SecretsStoreCSIDriverConfigSpec": {
+ "description": "SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.",
+ "type": "object",
+ "properties": {
+ "secretRotation": {
+ "description": "secretRotation controls automatic secret rotation behavior. When omitted, secret rotation is enabled with a default poll interval of 2 minutes.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.SecretsStoreSecretRotation"
+ },
+ "tokenRequests": {
+ "description": "tokenRequests controls service account token configuration for workload identity federation (WIF) with cloud providers. When omitted, the operator preserves any existing tokenRequests already configured on the CSIDriver object without modification.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.SecretsStoreTokenRequests"
+ }
+ }
+ },
+ "com.github.openshift.api.operator.v1.SecretsStoreSecretRotation": {
+ "description": "SecretsStoreSecretRotation configures the automatic secret rotation behavior for the Secrets Store CSI driver.",
+ "type": "object",
+ "required": [
+ "type"
+ ],
+ "properties": {
+ "custom": {
+ "description": "custom holds the custom rotation configuration. Only valid when type is \"Custom\".",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.CustomSecretRotation"
+ },
+ "type": {
+ "description": "type determines the secret rotation behavior. When \"None\", secret rotation is disabled and secrets are only fetched at initial pod mount time. When \"Custom\", secret rotation is enabled with the configuration specified in the custom field.",
+ "type": "string"
+ }
+ },
+ "x-kubernetes-unions": [
+ {
+ "discriminator": "type",
+ "fields-to-discriminateBy": {
+ "custom": "Custom"
+ }
+ }
+ ]
+ },
+ "com.github.openshift.api.operator.v1.SecretsStoreTokenRequest": {
+ "description": "SecretsStoreTokenRequest specifies a service account token audience configuration for workload identity federation (WIF) with the Secrets Store CSI driver.",
+ "type": "object",
+ "required": [
+ "audience"
+ ],
+ "properties": {
+ "audience": {
+ "description": "audience is the intended audience of the service account token. An empty string means the issued token will use the kube-apiserver's default APIAudiences.",
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "description": "expirationSeconds is the requested duration of validity of the service account token. The token issuer may return a token with a different validity duration. When omitted, the token expiration is determined by the kube-apiserver. Must be at least 600 seconds (10 minutes) and no more than 315360000 seconds (~10 years).",
+ "type": "integer",
+ "format": "int32"
+ }
+ }
+ },
+ "com.github.openshift.api.operator.v1.SecretsStoreTokenRequests": {
+ "description": "SecretsStoreTokenRequests configures how service account tokens are provided to the Secrets Store CSI driver for workload identity federation.",
+ "type": "object",
+ "required": [
+ "type"
+ ],
+ "properties": {
+ "managed": {
+ "description": "managed holds configuration for operator-managed tokenRequests. Only valid when type is \"Managed\".",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.operator.v1.ManagedTokenRequests"
+ },
+ "type": {
+ "description": "type determines how the operator manages tokenRequests on the CSIDriver object. When \"Unmanaged\", existing tokenRequests on the CSIDriver are preserved and the managed field is not used. When \"Managed\", the operator sets tokenRequests from the audiences specified in the managed field, replacing any previously configured values. Once set to \"Managed\", type cannot be reverted back to \"Unmanaged\".",
+ "type": "string"
+ }
+ },
+ "x-kubernetes-unions": [
+ {
+ "discriminator": "type",
+ "fields-to-discriminateBy": {
+ "managed": "Managed"
+ }
+ }
+ ]
+ },
"com.github.openshift.api.operator.v1.Server": {
"description": "Server defines the schema for a server that runs per instance of CoreDNS.",
"type": "object",
diff --git a/vendor/github.com/openshift/api/operator/v1/types.go b/vendor/github.com/openshift/api/operator/v1/types.go
index 3a2141abb..d9bf6880c 100644
--- a/vendor/github.com/openshift/api/operator/v1/types.go
+++ b/vendor/github.com/openshift/api/operator/v1/types.go
@@ -3,6 +3,7 @@ package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
)
// MyOperatorResource is an example operator configuration type
@@ -266,6 +267,15 @@ type NodeStatus struct {
// +required
NodeName string `json:"nodeName"`
+ // nodeUID is the UID of the node.
+ // This field is used to detect that a node has been deleted and recreated
+ // with the same name. When the UID changes, it indicates the node is a
+ // new instance and the controller should treat this status entry as stale.
+ // When omitted, UID-based node replacement detection is not available
+ // for this entry.
+ // +optional
+ NodeUID types.UID `json:"nodeUID,omitempty"`
+
// currentRevision is the generation of the most recently successful deployment.
// Can not be set on creation of a nodeStatus. Updates must only increase the value.
// +kubebuilder:validation:XValidation:rule="self >= oldSelf",message="must only increase"
diff --git a/vendor/github.com/openshift/api/operator/v1/types_authentication.go b/vendor/github.com/openshift/api/operator/v1/types_authentication.go
index 4d0e9f6d6..55fc62a79 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_authentication.go
@@ -33,6 +33,94 @@ type Authentication struct {
type AuthenticationSpec struct {
OperatorSpec `json:",inline"`
+
+ // proxy configures proxy settings for outbound connections made
+ // by the authentication stack. When set, it replaces the
+ // cluster-wide proxy (proxy.config.openshift.io/cluster)
+ // entirely for authentication — individual fields are not
+ // inherited from the cluster-wide configuration. When omitted,
+ // the cluster-wide proxy is used if configured; otherwise no
+ // proxy is used.
+ // +openshift:enable:FeatureGate=AuthenticationComponentProxy
+ // +optional
+ Proxy AuthenticationProxyConfig `json:"proxy,omitzero"`
+}
+
+// AuthenticationProxyConfig holds proxy configuration scoped to
+// authentication components (the OAuth server and the cluster
+// authentication operator).
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:XValidation:rule="has(self.httpProxy) || has(self.httpsProxy)",message="at least one of httpProxy or httpsProxy must be specified"
+type AuthenticationProxyConfig struct {
+ // httpProxy is the URL of the proxy for HTTP requests.
+ // Must be a valid URL with http or https scheme, a non-empty
+ // hostname, and no path, query parameters, or fragment.
+ // Userinfo (e.g. user:password@host) is allowed for proxy
+ // authentication. Maximum length is 2048 characters.
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=2048
+ // +kubebuilder:validation:XValidation:rule="isURL(self)",message="httpProxy must be a valid URL"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getScheme() in ['http', 'https']",message="httpProxy must use http or https scheme"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || size(url(self).getHostname()) > 0",message="httpProxy must contain a hostname"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getEscapedPath() == '' || url(self).getEscapedPath() == '/'",message="httpProxy must not contain a path"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getQuery().size() == 0",message="httpProxy must not contain query parameters"
+ // +kubebuilder:validation:XValidation:rule="!self.matches('.*#.*')",message="httpProxy must not contain a fragment"
+ // +optional
+ HTTPProxy string `json:"httpProxy,omitempty"`
+
+ // httpsProxy is the URL of the proxy for HTTPS requests.
+ // Must be a valid URL with http or https scheme, a non-empty
+ // hostname, and no path, query parameters, or fragment.
+ // Userinfo (e.g. user:password@host) is allowed for proxy
+ // authentication. Maximum length is 2048 characters.
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=2048
+ // +kubebuilder:validation:XValidation:rule="isURL(self)",message="httpsProxy must be a valid URL"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getScheme() in ['http', 'https']",message="httpsProxy must use http or https scheme"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || size(url(self).getHostname()) > 0",message="httpsProxy must contain a hostname"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getEscapedPath() == '' || url(self).getEscapedPath() == '/'",message="httpsProxy must not contain a path"
+ // +kubebuilder:validation:XValidation:rule="!isURL(self) || url(self).getQuery().size() == 0",message="httpsProxy must not contain query parameters"
+ // +kubebuilder:validation:XValidation:rule="!self.matches('.*#.*')",message="httpsProxy must not contain a fragment"
+ // +optional
+ HTTPSProxy string `json:"httpsProxy,omitempty"`
+
+ // noProxy is a list of hostnames and/or CIDRs and/or IPs for which
+ // the proxy should not be used. Must contain at least one entry
+ // when set. Each entry must be between 1 and 253 characters long
+ // and at most 64 entries are allowed. Duplicate
+ // entries are not permitted. Entries that are not valid hostnames,
+ // CIDRs, or IPs are silently ignored. Cluster-internal defaults
+ // (.cluster.local, .svc, 127.0.0.1, localhost) are always appended
+ // automatically and do not need to be included.
+ // +listType=set
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=64
+ // +kubebuilder:validation:items:MinLength=1
+ // +kubebuilder:validation:items:MaxLength=253
+ // +optional
+ NoProxy []string `json:"noProxy,omitempty"`
+
+ // trustedCA is a reference to a ConfigMap in the openshift-config
+ // namespace containing a CA certificate bundle under the key
+ // "ca-bundle.crt". This bundle is appended to the system trust store
+ // used by authentication components for proxy TLS connections.
+ // When omitted, only the system trust store is used.
+ // +optional
+ TrustedCA AuthenticationConfigMapReference `json:"trustedCA,omitzero"`
+}
+
+// AuthenticationConfigMapReference references a ConfigMap in the
+// openshift-config namespace.
+type AuthenticationConfigMapReference struct {
+ // name is the metadata.name of the referenced ConfigMap.
+ // Must be a valid DNS subdomain name (RFC 1123): at most 253
+ // characters, only lowercase alphanumeric characters, '-' or
+ // '.', starting and ending with an alphanumeric character.
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=253
+ // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must be a valid DNS subdomain name: contain no more than 253 characters, contain only lowercase alphanumeric characters, '-' or '.', and start and end with an alphanumeric character"
+ // +required
+ Name string `json:"name,omitempty"`
}
type AuthenticationStatus struct {
diff --git a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go
index 51ecab70c..fca2c808d 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go
@@ -506,16 +506,28 @@ type SecretsStoreSecretRotation struct {
// CustomSecretRotation holds configuration for custom secret rotation behavior.
// +kubebuilder:validation:MinProperties=1
type CustomSecretRotation struct {
- // rotationPollIntervalSeconds is the minimum time in seconds between secret
- // rotation attempts. The driver skips provider calls if less than this interval
- // has elapsed since the last successful rotation.
+ // minimumRefreshAge is the minimum time in seconds between secret
+ // rotation attempts. Each time kubelet calls NodePublishVolume, the driver
+ // checks whether this interval has elapsed since the last successful provider
+ // call. If it has, the driver contacts the secret provider to fetch the latest
+ // secret values and updates the mounted volume.
+ // Setting this value below the kubelet syncFrequency (default: 1 minute)
+ // has no additional effect on the actual rotation cadence.
// Must be at least 1 second and no more than 31560000 seconds (~1 year).
// When omitted, this means no opinion and the platform is left to choose a
// reasonable default, which is subject to change over time.
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=31560000
// +optional
- RotationPollIntervalSeconds int32 `json:"rotationPollIntervalSeconds,omitempty"`
+ MinimumRefreshAge int32 `json:"minimumRefreshAge,omitempty"`
+
+ // --- TOMBSTONE ---
+ // rotationPollIntervalSeconds was the previous name for minimumRefreshAge.
+ // The field has been renamed to better reflect its semantics.
+ // The JSON key is reserved to prevent reuse.
+ //
+ // +optional
+ // RotationPollIntervalSeconds int32 `json:"rotationPollIntervalSeconds,omitempty"`
}
// SecretsStoreTokenRequest specifies a service account token audience configuration
diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go b/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go
index 52bfdede3..2d442d4b4 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go
@@ -385,6 +385,31 @@ type IngressControllerSpec struct {
// +kubebuilder:default:="Continue"
// +default="Continue"
ClosedClientConnectionPolicy IngressControllerClosedClientConnectionPolicy `json:"closedClientConnectionPolicy,omitempty"`
+
+ // haproxyVersion specifies the HAProxy version to use for this
+ // IngressController.
+ //
+ // OpenShift 5.0 introduces HAProxy 3.2 as its default version and supports
+ // HAProxy 2.8 from OpenShift 4.22 for migration purposes. When an OpenShift
+ // release introduces a new default HAProxy version, that HAProxy version
+ // becomes available as a pinnable value in subsequent OpenShift releases,
+ // providing a smooth migration path for administrators who want to defer
+ // HAProxy upgrades.
+ //
+ // Valid values for OpenShift 5.0:
+ // - Unset (default): Uses HAProxy 3.2 (the default for OpenShift 5.0)
+ // - "3.2": Explicitly pins HAProxy 3.2 for preservation during cluster
+ // upgrades to future OpenShift releases
+ // - "2.8": Uses HAProxy 2.8 from OpenShift 4.22 (migration support, will
+ // be dropped in the next OpenShift release)
+ //
+ // If a specific HAProxy version is set and would become unsupported in a
+ // target cluster upgrade, a preflight check will block the cluster upgrade
+ // until this field is updated to unset or a supported version.
+ //
+ // +optional
+ // +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
+ HAProxyVersion HAProxyVersion `json:"haproxyVersion,omitempty"`
}
// httpCompressionPolicy turns on compression for the specified MIME types.
@@ -2263,6 +2288,19 @@ type IngressControllerStatus struct {
// routeSelector is the actual routeSelector in use.
// +optional
RouteSelector *metav1.LabelSelector `json:"routeSelector,omitempty"`
+
+ // effectiveHAProxyVersion reports the HAProxy version currently in use by
+ // this IngressController. This reflects the resolved value of the
+ // spec.haproxyVersion field. When omitted, the effective value has not yet
+ // been resolved by the operator or the feature is not enabled for this cluster.
+ //
+ // Examples for OpenShift 5.0:
+ // - "3.2": Using HAProxy 3.2
+ // - "2.8": Using HAProxy 2.8
+ //
+ // +optional
+ // +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
+ EffectiveHAProxyVersion HAProxyVersion `json:"effectiveHAProxyVersion,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -2331,3 +2369,18 @@ const (
// server's response regardless of the client having closed the connection.
IngressControllerClosedClientConnectionPolicyContinue IngressControllerClosedClientConnectionPolicy = "Continue"
)
+
+// HAProxyVersion is a string representing a HAProxy minor version in "X.Y"
+// format. The allowed values are constrained by enum validation and vary by
+// OpenShift release.
+//
+// +kubebuilder:validation:Enum="2.8";"3.2"
+type HAProxyVersion string
+
+const (
+ // HAProxyVersion28 represents HAProxy 2.8, shipped with OpenShift 4.22.
+ HAProxyVersion28 HAProxyVersion = "2.8"
+
+ // HAProxyVersion32 represents HAProxy 3.2, introduced in OpenShift 5.0.
+ HAProxyVersion32 HAProxyVersion = "3.2"
+)
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go
index 0a6726b19..3c244a986 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go
@@ -285,6 +285,22 @@ func (in *Authentication) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationConfigMapReference) DeepCopyInto(out *AuthenticationConfigMapReference) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfigMapReference.
+func (in *AuthenticationConfigMapReference) DeepCopy() *AuthenticationConfigMapReference {
+ if in == nil {
+ return nil
+ }
+ out := new(AuthenticationConfigMapReference)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AuthenticationList) DeepCopyInto(out *AuthenticationList) {
*out = *in
@@ -318,10 +334,33 @@ func (in *AuthenticationList) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationProxyConfig) DeepCopyInto(out *AuthenticationProxyConfig) {
+ *out = *in
+ if in.NoProxy != nil {
+ in, out := &in.NoProxy, &out.NoProxy
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ out.TrustedCA = in.TrustedCA
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationProxyConfig.
+func (in *AuthenticationProxyConfig) DeepCopy() *AuthenticationProxyConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(AuthenticationProxyConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) {
*out = *in
in.OperatorSpec.DeepCopyInto(&out.OperatorSpec)
+ in.Proxy.DeepCopyInto(&out.Proxy)
return
}
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
index 9edb02ec6..aab9e3564 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -6,6 +6,7 @@ authentications.operator.openshift.io:
Capability: ""
Category: ""
FeatureGates:
+ - AuthenticationComponentProxy
- KMSEncryption
FilenameOperatorName: authentication
FilenameOperatorOrdering: "01"
@@ -179,6 +180,7 @@ ingresscontrollers.operator.openshift.io:
Category: ""
FeatureGates:
- IngressControllerDynamicConfigurationManager
+ - IngressControllerMultipleHAProxyVersions
- TLSGroupPreferences
FilenameOperatorName: ingress
FilenameOperatorOrdering: "00"
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go
index c6a047d2c..271665a7e 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go
@@ -65,11 +65,21 @@ func (in Authentication) OpenAPIModelName() string {
return "com.github.openshift.api.operator.v1.Authentication"
}
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuthenticationConfigMapReference) OpenAPIModelName() string {
+ return "com.github.openshift.api.operator.v1.AuthenticationConfigMapReference"
+}
+
// OpenAPIModelName returns the OpenAPI model name for this type.
func (in AuthenticationList) OpenAPIModelName() string {
return "com.github.openshift.api.operator.v1.AuthenticationList"
}
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuthenticationProxyConfig) OpenAPIModelName() string {
+ return "com.github.openshift.api.operator.v1.AuthenticationProxyConfig"
+}
+
// OpenAPIModelName returns the OpenAPI model name for this type.
func (in AuthenticationSpec) OpenAPIModelName() string {
return "com.github.openshift.api.operator.v1.AuthenticationSpec"
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
index a79189ffc..2825e758b 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
@@ -37,6 +37,7 @@ func (MyOperatorResource) SwaggerDoc() map[string]string {
var map_NodeStatus = map[string]string{
"": "NodeStatus provides information about the current state of a particular node managed by this operator.",
"nodeName": "nodeName is the name of the node",
+ "nodeUID": "nodeUID is the UID of the node. This field is used to detect that a node has been deleted and recreated with the same name. When the UID changes, it indicates the node is a new instance and the controller should treat this status entry as stale. When omitted, UID-based node replacement detection is not available for this entry.",
"currentRevision": "currentRevision is the generation of the most recently successful deployment. Can not be set on creation of a nodeStatus. Updates must only increase the value.",
"targetRevision": "targetRevision is the generation of the deployment we're trying to apply. Can not be set on creation of a nodeStatus.",
"lastFailedRevision": "lastFailedRevision is the generation of the deployment we tried and failed to deploy.",
@@ -118,6 +119,15 @@ func (Authentication) SwaggerDoc() map[string]string {
return map_Authentication
}
+var map_AuthenticationConfigMapReference = map[string]string{
+ "": "AuthenticationConfigMapReference references a ConfigMap in the openshift-config namespace.",
+ "name": "name is the metadata.name of the referenced ConfigMap. Must be a valid DNS subdomain name (RFC 1123): at most 253 characters, only lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character.",
+}
+
+func (AuthenticationConfigMapReference) SwaggerDoc() map[string]string {
+ return map_AuthenticationConfigMapReference
+}
+
var map_AuthenticationList = map[string]string{
"": "AuthenticationList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -127,6 +137,26 @@ func (AuthenticationList) SwaggerDoc() map[string]string {
return map_AuthenticationList
}
+var map_AuthenticationProxyConfig = map[string]string{
+ "": "AuthenticationProxyConfig holds proxy configuration scoped to authentication components (the OAuth server and the cluster authentication operator).",
+ "httpProxy": "httpProxy is the URL of the proxy for HTTP requests. Must be a valid URL with http or https scheme, a non-empty hostname, and no path, query parameters, or fragment. Userinfo (e.g. user:password@host) is allowed for proxy authentication. Maximum length is 2048 characters.",
+ "httpsProxy": "httpsProxy is the URL of the proxy for HTTPS requests. Must be a valid URL with http or https scheme, a non-empty hostname, and no path, query parameters, or fragment. Userinfo (e.g. user:password@host) is allowed for proxy authentication. Maximum length is 2048 characters.",
+ "noProxy": "noProxy is a list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. Must contain at least one entry when set. Each entry must be between 1 and 253 characters long and at most 64 entries are allowed. Duplicate entries are not permitted. Entries that are not valid hostnames, CIDRs, or IPs are silently ignored. Cluster-internal defaults (.cluster.local, .svc, 127.0.0.1, localhost) are always appended automatically and do not need to be included.",
+ "trustedCA": "trustedCA is a reference to a ConfigMap in the openshift-config namespace containing a CA certificate bundle under the key \"ca-bundle.crt\". This bundle is appended to the system trust store used by authentication components for proxy TLS connections. When omitted, only the system trust store is used.",
+}
+
+func (AuthenticationProxyConfig) SwaggerDoc() map[string]string {
+ return map_AuthenticationProxyConfig
+}
+
+var map_AuthenticationSpec = map[string]string{
+ "proxy": "proxy configures proxy settings for outbound connections made by the authentication stack. When set, it replaces the cluster-wide proxy (proxy.config.openshift.io/cluster) entirely for authentication — individual fields are not inherited from the cluster-wide configuration. When omitted, the cluster-wide proxy is used if configured; otherwise no proxy is used.",
+}
+
+func (AuthenticationSpec) SwaggerDoc() map[string]string {
+ return map_AuthenticationSpec
+}
+
var map_AuthenticationStatus = map[string]string{
"oauthAPIServer": "oauthAPIServer holds status specific only to oauth-apiserver",
}
@@ -569,8 +599,8 @@ func (ClusterCSIDriverStatus) SwaggerDoc() map[string]string {
}
var map_CustomSecretRotation = map[string]string{
- "": "CustomSecretRotation holds configuration for custom secret rotation behavior.",
- "rotationPollIntervalSeconds": "rotationPollIntervalSeconds is the minimum time in seconds between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Must be at least 1 second and no more than 31560000 seconds (~1 year). When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+ "": "CustomSecretRotation holds configuration for custom secret rotation behavior.",
+ "minimumRefreshAge": "minimumRefreshAge is the minimum time in seconds between secret rotation attempts. Each time kubelet calls NodePublishVolume, the driver checks whether this interval has elapsed since the last successful provider call. If it has, the driver contacts the secret provider to fetch the latest secret values and updates the mounted volume. Setting this value below the kubelet syncFrequency (default: 1 minute) has no additional effect on the actual rotation cadence. Must be at least 1 second and no more than 31560000 seconds (~1 year). When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
}
func (CustomSecretRotation) SwaggerDoc() map[string]string {
@@ -1143,6 +1173,7 @@ var map_IngressControllerSpec = map[string]string{
"httpCompression": "httpCompression defines a policy for HTTP traffic compression. By default, there is no HTTP compression.",
"idleConnectionTerminationPolicy": "idleConnectionTerminationPolicy maps directly to HAProxy's idle-close-on-response option and controls whether HAProxy keeps idle frontend connections open during a soft stop (router reload).\n\nAllowed values for this field are \"Immediate\" and \"Deferred\". The default value is \"Immediate\".\n\nWhen set to \"Immediate\", idle connections are closed immediately during router reloads. This ensures immediate propagation of route changes but may impact clients sensitive to connection resets.\n\nWhen set to \"Deferred\", HAProxy will maintain idle connections during a soft reload instead of closing them immediately. These connections remain open until any of the following occurs:\n\n - A new request is received on the connection, in which\n case HAProxy handles it in the old process and closes\n the connection after sending the response.\n\n - HAProxy's `timeout http-keep-alive` duration expires.\n By default this is 300 seconds, but it can be changed\n using httpKeepAliveTimeout tuning option.\n\n - The client's keep-alive timeout expires, causing the\n client to close the connection.\n\nSetting Deferred can help prevent errors in clients or load balancers that do not properly handle connection resets. Additionally, this option allows you to retain the pre-2.4 HAProxy behaviour: in HAProxy version 2.2 (OpenShift versions < 4.14), maintaining idle connections during a soft reload was the default behaviour, but starting with HAProxy 2.4, the default changed to closing idle connections immediately.\n\nImportant Consideration:\n\n - Using Deferred will result in temporary inconsistencies\n for the first request on each persistent connection\n after a route update and router reload. This request\n will be processed by the old HAProxy process using its\n old configuration. Subsequent requests will use the\n updated configuration.\n\nOperational Considerations:\n\n - Keeping idle connections open during reloads may lead\n to an accumulation of old HAProxy processes if\n connections remain idle for extended periods,\n especially in environments where frequent reloads\n occur.\n\n - Consider monitoring the number of HAProxy processes in\n the router pods when Deferred is set.\n\n - You may need to enable or adjust the\n `ingress.operator.openshift.io/hard-stop-after`\n duration (configured via an annotation on the\n IngressController resource) in environments with\n frequent reloads to prevent resource exhaustion.",
"closedClientConnectionPolicy": "closedClientConnectionPolicy controls how the IngressController behaves when the client closes the TCP connection while the TLS handshake or HTTP request is in progress. This option maps directly to HAProxy’s \"abortonclose\" option.\n\nValid values are: \"Abort\" and \"Continue\". The default value is \"Continue\".\n\nWhen set to \"Abort\", the router will stop processing the TLS handshake if it is in progress, and it will not send an HTTP request to the backend server if the request has not yet been sent when the client closes the connection.\n\nWhen set to \"Continue\", the router will complete the TLS handshake if it is in progress, or send an HTTP request to the backend server and wait for the backend server's response, regardless of whether the client has closed the connection.\n\nSetting \"Abort\" can help free CPU resources otherwise spent on TLS computation for connections the client has already closed, and can reduce request queue size, thereby reducing the load on saturated backend servers.\n\nImportant Considerations:\n\n - The default policy (\"Continue\") is HTTP-compliant, and requests\n for aborted client connections will still be served.\n Use the \"Continue\" policy to allow a client to send a request\n and then immediately close its side of the connection while\n still receiving a response on the half-closed connection.\n\n - When clients use keep-alive connections, the most common case for premature\n closure is when the user wants to cancel the transfer or when a timeout\n occurs. In that case, the \"Abort\" policy may be used to reduce resource consumption.\n\n - Using RSA keys larger than 2048 bits can significantly slow down\n TLS computations. Consider using the \"Abort\" policy to reduce CPU usage.",
+ "haproxyVersion": "haproxyVersion specifies the HAProxy version to use for this IngressController.\n\nOpenShift 5.0 introduces HAProxy 3.2 as its default version and supports HAProxy 2.8 from OpenShift 4.22 for migration purposes. When an OpenShift release introduces a new default HAProxy version, that HAProxy version becomes available as a pinnable value in subsequent OpenShift releases, providing a smooth migration path for administrators who want to defer HAProxy upgrades.\n\nValid values for OpenShift 5.0: - Unset (default): Uses HAProxy 3.2 (the default for OpenShift 5.0) - \"3.2\": Explicitly pins HAProxy 3.2 for preservation during cluster\n upgrades to future OpenShift releases\n- \"2.8\": Uses HAProxy 2.8 from OpenShift 4.22 (migration support, will\n be dropped in the next OpenShift release)\n\nIf a specific HAProxy version is set and would become unsupported in a target cluster upgrade, a preflight check will block the cluster upgrade until this field is updated to unset or a supported version.",
}
func (IngressControllerSpec) SwaggerDoc() map[string]string {
@@ -1160,6 +1191,7 @@ var map_IngressControllerStatus = map[string]string{
"observedGeneration": "observedGeneration is the most recent generation observed.",
"namespaceSelector": "namespaceSelector is the actual namespaceSelector in use.",
"routeSelector": "routeSelector is the actual routeSelector in use.",
+ "effectiveHAProxyVersion": "effectiveHAProxyVersion reports the HAProxy version currently in use by this IngressController. This reflects the resolved value of the spec.haproxyVersion field. When omitted, the effective value has not yet been resolved by the operator or the feature is not enabled for this cluster.\n\nExamples for OpenShift 5.0: - \"3.2\": Using HAProxy 3.2 - \"2.8\": Using HAProxy 2.8",
}
func (IngressControllerStatus) SwaggerDoc() map[string]string {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 8700593c5..5c4a3995e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -86,7 +86,7 @@ github.com/modern-go/reflect2
# github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
## explicit
github.com/munnerz/goautoneg
-# github.com/openshift/api v0.0.0-20260702202555-ef71f942ef6c
+# github.com/openshift/api v0.0.0-20260702202555-ef71f942ef6c => github.com/bhperry/openshift-api v0.0.0-20260708145042-cb0d569718cc
## explicit; go 1.25.0
github.com/openshift/api
github.com/openshift/api/apiextensions
@@ -564,3 +564,4 @@ sigs.k8s.io/structured-merge-diff/v6/value
# sigs.k8s.io/yaml v1.6.0
## explicit; go 1.22
sigs.k8s.io/yaml
+# github.com/openshift/api => github.com/bhperry/openshift-api v0.0.0-20260708145042-cb0d569718cc